July 1st was "Twittersec" day as coined by @hevnsnt over at I-Hacked.com to designate July 1st as change your Twitter password day. Why? Mostly because July is the "month of Twitter bugs" created by a security researcher in which he will announce a bug in a "3rd party Twitter application" everyday for the month of July to raise awareness on security issues with the Twitter API. Technically, this should be "month of 3rd party" Twitter bugs but whatever. Either way it will raise awareness about some of the security issues of Twitter and 3rd party applications.

ANYWAY, back to my point....I sent out some tweets about changing your Twitter password and now being a good time to use a password manager like Keepass to manage multiple, complex passwords for everything...not just social media sites. One problem though is that each site might have different password length and complexity requirements. This becomes an annoying issue when you choose a randomly generated password like I suggest when using a password manager. You will encounter many sites that have specific requirements and others that do not. Obviously, the longer and more complex the password is the harder it is to crack so I suggest going as long as you can. Sad that there are these limitations on certain sites (blame the site developers) but if you set your random password generator to a very large number (I recommend at least 20 with a mix of everything you can throw at it including white spaces if the site will let you), it's as good as your going to get.

Keep in mind, some applications even supported by the site (like the Facebook app for BlackBerry and iPhone) might not like passwords over a certain length or even certain special characters...you will know once you use these apps. Also, I mention Keepass as a password manager because you can use it on a BlackBerry or Windows Mobile device as well...an iPhone version is being worked on. So here you go...max password lengths for the major social media sites:

Twitter
None. I tried a 500 character password with everything but white spaces and it worked.

Facebook
None. I tried a 1000 character password with everything but white spaces and it worked.

MySpace
10 characters! Wow...really bad. Now I know another reason MySpace sucks.

LinkedIn
16 characters! This is interesting. LinkedIn truncates the password to 16 characters! Even if you put in a password larger then 16 characters it will only use the first 16, you can actually see this when entering in a password. No user notification, no info about this in the 'help' section. Sneaky and evil.

YouTube
None. Your account is tied to your Google account so is kind of a pain to change...but I didn't find any issues with length or complexity.

On another note...I wonder if Twitter and Facebook truncate the passwords at a certain length and don't tell you? Not sure...but it would be interesting to find out. This is another bad design as a they could easily just hash the entire password (which is a certain manageable length) and the hash is stored in the database not the large character password. Does this mean that sites like MySpace and LinkedIn are storing passwords in clear text? Also, I have run into other sites (non-social network) that actually truncate the password because when you try to login with an overly complex password...you get denied! Then you enter the cycle of doom...resetting your password thinking you fat fingered that password to begin with over and over. :-/

Are social media password limitations working against you?
Finally, just a quick point on this. Social media sites like MySpace and LinkedIn should NEVER have any limitations on password length or complexity. Certain complexity restrictions (like white space or strange characters) I could understand since you would have to use these passwords on mobile devices and other integrated apps. However, there are no technical limitations of just hashing the passwords to a constant length...and we all know storing passwords in a database in clear text is never a good thing.

Shouldn't these social media sites that you already give your personal information to be trying to protect you the user as best as they can by letting you set a long and complex password? Let's hope MySpace and LinkedIn get better at this real soon!

If you have been using social media or are curious of the security of this emerging technology you may be interesting reading my recently published article in issue 21 of (IN)SECURE Magazine. In my article I discuss why companies are starting to use social media, the benefits/risks and what information may be posted about your company on social media/networking web sites. I also talk about some cost effective tools your company can use to start your own social media monitoring program (without spending a ton of cash) and how to put in place guidelines for employees regarding the use of social media. Yes, even if you block these sites in the workplace employees are going to use social media/network sites outside of work if you like it or not...you had better get used to it and adapt your policies!

This article started from me actually seeing how much information there is about businesses within social networks. Both good and bad! The information I have found has been extremely valuable when conducting penetration tests. In fact, this information can be so valuable that you may be surprised how easy it is to use this information for social engineering or more...the possibilities are endless. As I pointed out in my article, get together with the business leaders in your marketing and/or public relations group and talk about social media and how to use it with a bit of security and privacy in mind. You might be surprised how receptive they are to the input from a security professional!

Here are the links for the tools from my talk titled "New School Man-In-The-Middle" that was given at the North East Ohio Information Security Forum (NEOISF). I will update this post with a link to the slide deck on SlideShare by the end of the week. Thanks to everyone for coming out!

Old School!
Wireshark

Ettercap
Cain


New School!
Network Miner
The Middler
SSLStrip

* Note: ...both the new and old school tools provide the pentester with a ton of value! Use them all!

MITM Defense
ArpON
ArpWatch

UPDATE: Click here to view the slide deck.

Do you have a BlackBerry for work and you have a corporate policy pushed down and managed by your corporate IT team? Depending on how locked down the policy is for your corporate BlackBerry deployment you may be syncing sensitive or confidential data to a public web site.

So I recently installed the Facebook Blackberry Application v1.5 on my BlackBerry and noticed two interesting settings. First, you can sync your Facebook calendar with your BlackBerry calendar. Second, you can sync your Facebook contacts with your BlackBerry contacts. As far as I can tell syncing is only one way...sort of. The Facebook application has a disclaimer when you install the application that says:

Facebook will "periodically send copies of your BlackBerry device Contacts to Facebook Inc. to match and connect with your Facebook Friends."

So does this mean Facebook has a copy of your corporate contacts? They must somewhere to do the proper sync matching. There is another disclaimer at the bottom of the "setup wizard" that says you allow Facebook to do this interaction per the same way applications have access to your profile data in Facebook. Interesting. Again, not a nightmare situation...but if any of your business contacts are sensitive in nature I would be hesitant to enable this feature. Worse case? I couldn't think of a worse security nightmare then of all your users automatically sending sensitive calendar entries with proprietary data to Facebook! So yeah, one way is good. For now one way sync is all the Facebook application does but I would be willing to bet that this will change in the future. Be careful with this one.

So lets step this up a bit. What about two way syncing applications like Google Sync? Google Sync will sync your Google Calendar/Contacts with your Blackberry Calendar/Contacts...both ways! This might be a real problem if you make your Google Calendar public or share it with a group of friends. Same goes for your business contacts. You may have just given Google (and possibly the world) all your business calendar entries. Well..we know Google isn't evil, right? :-/

What can we do about this? As a user...opt out of installing any syncing apps on your corporate BlackBerry for starters. But what about blocking syncing on the device via BES policy? As far as I can tell the only way is to block the application from being installed via policy. This will become problematic when Google/Facebook releases new versions for example. Not sustainable. I'm no BES administrator but there might be other ways to prevent the application from being installed or the syncing from happening but it brings up some interesting discussion. By the way, there are some problems when you have the Facebook application and Google Sync installed at the same time. No thanks.

Something else to think about. How does your company handle BlackBerry deployments? Are they company issued and owned? Or do you allow your users to own them and the company pays for the data plan? All of this would have to be considered before blocking or preventing syncing applications (or any third-party application) from being installed. If you have any thoughts or ideas on this, comment below!

I'm back from Notacon 6 that took place in Cleveland over the weekend and finally have some time to get a post up. All I have to say is...wow. What a great con! This was my first Notacon (yeah, I live in Cleveland...sad I know) and I was totally impressed! There was a great line up of speakers, really fun events and a kick ass game room. The game room was really cool. They had everything from a fully loaded NES and Commodore 64 for your retro gaming fix as well as Rock Band and Guitar Hero. Speaking of Rock Band...myself, Chris, Jack, and Jane entered into the Rock Band competition as the "Notabots". We won the highest score competition and walked away with over a case and a half of Bawls energy drink, a few books and a sweet retro floppy disk clock. If you know me at all...the energy drink was the best prize ever! :-)

Just like most other smaller con's the best part is still the great networking opportunities. One talk that was really outstanding was the talk by James "Myrcurial" Arlen titled "From a Black Hat to a Black Suit - The Econopocalypse Now Edition". His talk is honestly one that anyone wanting to advance their career in Information Security should see. One thing I took away from his talk was that those of us in Information Security should never forget to mentor others, especially those in an entry level position. Remember, we were all the new guy just getting our feet wet at some point...having a mentor is invaluable to the learning process especially in the beginning of your career. In addition, James is a great guy and is someone who has pretty much "seen it all" when it comes to the corporate world.

Rise of the Autobots: Into the Underground of Social Network Bots Presentation Materials
My presentation went great! Thanks to everyone that came out to see it and for all the feedback. I was stoked that we were able to release some really cool code thanks to Robin Wood and announce a new open source project. You can download the Twitterbot POC code here from Robin's website. I posted the slides from my presentation on Slideshare and the video should be up with the rest of the Notacon presentations soon. This won't be the end of this research. I am hoping to put together a white paper on this subject using the research I have done thus far. The Notabot code I mentioned is available on the socialnetworkbots.com project site which I will talk about more below.

UPDATE: The video from my Notacon talk is available now to view on Vimeo.

Details on the Social Network Bots Open Source Project
I created a SourceForge project for all the development for the bot army I am looking to create (joke). Basically I'm looking for others interested in developing bots for social networks to join up on the team and contribute code to the project. I have already talked to some of you at Notacon and there looks like a few of you would like to work on N0tab0t version 1.1 which might be...well interesting to say the least! You can check out the project on socialnetworkbots.com. We are looking for any kind of social network bot...not just Twitter bots. If you want to join in, post something on the project forum or send me an email.

Stay tuned. Lots of more social media security research goodness coming soon! Thanks for sticking around for the ride! :-)

It's time to gear up for Notacon 6 which starts for me on Thursday night at 7pm. I will be at the preview night giving a short overview of my presentation on Saturday "Rise of the Autobots: Into the Underground of Social Network Bots". I have been busy tuning and making some last minute updates to the presentation. Some of these last minute updates include some code that myself and a few others have been working on as well as the announcement of a new open source project. What would a con be without a release of some code right? This is exciting stuff that I'm looking forward to talking about in my presentation. It all goes down at 5pm in the East Ballroom on Saturday.

Shortly after my talk on Saturday I will have my presentation posted as well as links to the code being released and links to the new project I will be talking about. Stay tuned to this blog for those details over the weekend.

At Notacon I will also be participating in Notacon Radio with the other co-hosts of the Security Justice podcast. Follow Security Justice on Twitter for details on when we will be live. We should be doing some interviews with some of the speakers as well. If you are at the con, stop by and say Hi!

Some other events at Notacon...there is a Security Twits meetup taking place on Thursday organized by @geekgrrl. If you plan on going you need to RSVP via DM to her like yesterday...I'll be there as well as a few others from Twitter.

I also posted a list of recommended Notacon speakers and events on the Security Justice web site you can check out here so I won't regurgitate the speakers that I will be going to see. Anyway, I should be live tweeting as I usually do at conferences so be sure to follow me for Notacon updates.

Lastly...this has been a crazy 2-3 months for me. Lots of changes going on with things I have been involved with and projects I have been working on. With all of this activity it has left little time for the blog but I will be getting back into regular posting once things slow down a little so thanks for sticking around. I am still amazed that this whole social media/networking security research has really taken off for me. I must have found a niche! :-) I still have a focus on pentesting (mostly for my job) but it's cool to see how other interests evolve and morph into greater things. Such is life right?

What have I been doing lately? Why the lack of posts? Well...I have been preparing for my talk at Notacon 6 called Rise of the Autobots: Into the Underground of Social Network Bots. Who are these bots and what are they here for? From my abstract:

How do you know that last friend request or Twitter follower was an actual live human being? The truth is...you don't! Bot's and bot manufactures have become rampant in social networks such as MySpace, Facebook and Twitter exploiting the trust relationships that make social media work. Why are bots taking control of social networks? It's simple. Social networks are the fastest growing phenomenon of our time. For example, Facebook alone recently reached 150 million potential targets for spammers, malware authors, and other undesirables in 2008. Social networks are only getting bigger and bots will be part of this trend.

This presentation will take you on a journey into the thriving bot underground where bots are manufactured for every purpose imaginable. We will talk about good bots, bad bots, *really* evil bots, how to identify bots, terminating bots and the future possibility of social network botnets to rule them all.

This talk is the result of many months of research that I have been doing on this subject. Here are three things from my research as a teaser for my talk:

1. You will find it fascinating that bots are a huge part of social networks. Bots are not only used by the bad guys but legitimate users as well.

2. There will be discussion on why spammers are targeting social networks and how most of this bot activity falls under the guise of "Blackhat SEO". I have been finding that there is a thin line between what constitutes "Blackhat" vs. "Whitehat" and that line will continue to blur. You will be amazed (as I was) with the business and money making model(s) that spammers and malware authors use. There is a ton of money being made from using these techniques and tools! Want an idea how much? Check out Jeremiah Grossman's recent presentation on Blackhat SEO...you might want to quit your day job.

3. How do you use bots to create accounts? What are the most popular tools available? How about just buying hacked/bot created accounts in bulk then use these tools to SPAM friends lists? Also, as a tie in to the tools that are used we will talk about why CAPTCHA's and other controls are not working. Finally, don't forget about the new frontier of botnets and social networks...this is an untapped area thats only going to get more interesting.

So, if you are coming to Notacon 6 (April 16th-19th) hopefully you can stop by. I promise, my talk will be entertaining! Stay tuned to this blog...after the talk I plan on releasing detailed articles on some of the specific topics from the talk.

Of course you do!

If you don't know who Chris Nickerson is...then you should. Chris is the founder of Lares Consulting, was on the Tiger Team TV show and also a frequent speaker at security conferences who talks about tiger team/red team operations. He also talks about how social engineering is more important then ever to include in your penetration testing program. I couldn't agree more! In fact, he's giving a free webcast with Mike Murray on March 10th called "Modern Social Engineering - A Vital Component of Pen Testing".

Via the Carnal0wnage Blog:

"The world of Information Security is changing. Budgets are tighter, attacks are more sophisticated, and the corporate network is no longer the low hanging fruit. That leaves web-enabled applications as the vector-du-jour, but that well is quickly drying up for organized crime as well. As they creep up the OSI Model looking for easier ways to steal your corporate assets, they are quickly making their way up the stack to the unspoken 8th layer, the end user. So what is the next step in the never-ending escalation of this cyber war?

To find out, we must do as Sun Tzu taught. "Think like our enemy!" That is, after all, the primary tenet of penetration testing AKA ethical hacking, isn't it? After years of hardening physical systems, networks, OSs, and applications, we have now come full circle to a new dawn of attack. People are now the target of the advanced hacker, and the cross-hairs are focused squarely on their foreheads... literally. It is only a matter of time before corporations feel the pain of wetware hacking requiring a new approach to testing and defense. "

You can sign-up for the webcast here. Also, Chris and Mike are doing a "Social Engineering Master Class" at ChicagoCon this year which looks awesome! Looks like there are only 25 seats so check it out if you can. Interestingly enough Chris has just started blogging so be sure to check out his blog. If that wasn't enough...we (Security Justice) recorded a special edition podcast with Chris in which he talks about his adventures on the Tiger Team TV show.

I have been seeing a bunch of friends on social networks filling out these "25 Random Things About Me" surveys. I just saw another one going around called "44 Odd Things About You" as well. I remember this similar type of activity passed along in email several years ago but now it's made its way to social networks such as Facebook and MySpace. Here is what the request looks like once you have been "tagged" by one of your friends:

RULES: Once you've been tagged, you are supposed to write a note with 25 random things, facts, habits, or goals about you. At the end, choose 25 people to be tagged. You have to tag the person who tagged you. If I tagged you, it's because I want to know more about you.

This sounds fun and a good way to network with your friends, however, let me tell you why putting in this information might be a bad idea.

What's the big deal? This is fun...right?
One of the basic rules everyone should be following when using social networks is that you should consider everything you post as public information. For example, would you write down these 25 random things about you, stick your name on it, make copies and put them in the mailboxes of complete strangers in your neighborhood? Are all of the people you are friends with truly your friends? Will they always be your friends? How is your profile configured? Have you looked at your "Notes" application settings in Facebook? More importantly, do you allow your profile to be searched by search engines? If you posted these 25 random things to your profile and/or wall, you may have inadvertently allowed these things to be found by total strangers. Remember, personal information on social networks always seems to get out even if you do use the correct privacy settings...sometimes through no fault of your own.

Can I haz your password plz?
With these 25 random things about you someone may even be able to use your answers to gain access to your email, other social networks, bank accounts, etc...why? Check out this list of questions that are asked when requesting a "lost password" or "password reset". Many of these are from online banking and other sensitive web sites and looks similar to...25 random things about you.

Think this doesn't happen? This type of attack did happen to Vice Presidential candidate Sarah Palin last year. A hacker was able to reset her Yahoo email account password using information he found on her publicly accessible Wikipedia page. Here is a quote from the Sarah Palin hacker:

"...after the password recovery was re enabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if you look on some of the screenshots that I took...so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…"

This could happen to anyone! So by knowing some of your 25 random things, someone may be able to reset your passwords, impersonate you or even cyberstalk you. My advise? Don't fill these things out or leave these surveys very general and not too detailed. Email might even be a safer place for this type of information.... Stop and think before you post overly detailed information about your life on social networks..it can all potentially be used against you.

I'm here in DC getting ready for ShmooCon which starts tomorrow. I had some time to blog before things get crazy later tonight when everyone starts to arrive for the con.

UPDATE: Ummm...someone *may* have hacked the Windows kiosks at the hotel...saw Ubuntu loading on one and Howard the Duck playing on another...probably shouldn't use those kiosks, huh?

Anyway, I thought I would share some first impressions of the talks and what I will probably attend. Keep in mind, there are lots of great talks going on all weekend and it will be really hard to make all the ones I want to see but here is my short list of not to miss talks:

Friday, February 6th

Open Vulture - Scavenging the Friendly Skies Open Source UAV Platform
Ethan O'Toole and Matt Davis

An open source UAV? How friggin' sweet is that? Now you too can spy on your own neighborhood... :-)

Building the 2008 and 2009 ShmooBall Launchers
Larry Pesce and David Lauer

Of course I will be in this one! Dave from Security Justice and Larry from PaulDotCom will be talking all about the new ShmooBall launchers for this year. Dave and Larry never disappoint and I assume there will be some surprises as well.

Decoding the SmartKey
Shane Lawson

I love physical security just about as much as information security so this one should be interesting. Shane will talk about how to decode the Kwikset SmartKey with materials costing under $5.

Podcasters Meetup/HacDC party

I will be there along with Matt and Dave from Security Justice. Looks like we are going to do a live show at 8pm, give away some prizes, start FireTalks then party with the folks from HacDC. Check out the podcasters meetup site for more details on times and official schedule.

Saturday, February 7th

Radio Reconnaissance in Penetration Testing - All Your RF Are Belong to Us
Matt Neely

My friend and fellow co-host of the Security Justice podcast, Matt Neely is doing a talk on ways to use radio reconnaissance in pentests. Matt does a ton of research with wireless so it should be really interesting to see what new techniques he has come up with. I hear that Shmoo Balls may be launched during this talk.... :-)

Fail 2.0: Further Musings on Attacking Social Networks
Nathan Hamiel and Shawn Moyer

I was at BlackHat last year and saw Nathan and Shawn's talk titled "Satan is on my friends list". These guys do great research on social network security and I am looking forward to see the new stuff they came up with for this year. As a bonus, they should have AFF (Adult Friend Finder) pr0n and related adventures. ;-)

Man in the Middling Everything with The Middler
Jay Beale

Jay Beale is speaking once again about the Middler! You may remember the Middler was to be released at Defcon last year...that didn't happen for a bunch of reasons. However, I think Jay will finally be ready to release it! Jay is a great presenter to boot..highly recommended you attend this one. Another talk to beware of Shmoo Ball cannon fire...

802.11 ObgYn or "Spread Your Spectrum"
Rick Farina

All Your Packets are Belong To Us: Attacking Backbone Technologies
Enno Rey and Daniel Mende

The Fast-Track Suite: Advanced Penetration Techniques Made Easy
David Kennedy

You may remember Dave from one of the first Security Justice Special Editions last year. Dave will be going in depth with the Fast-Track suite which is part of Backtrack 3. Knowing Dave, I'm sure he will be talking about and/or demoing new features in Backtrack 4. Shmoo Ball cannon may make an appearance...

Sunday, February 8th

Enough with the Insanity: Dictionary Based Rainbow Tables
Matt Weir

Yes! Improvements to rainbow tables...can't wait!

RFID Unplugged
3ric Johanson

Looks like RFID is going to torn apart in this one...good stuff! Interested in the PayPass vulnerabilities he is going to talk about.

0wn the Con
The Shmoo Group

What to know what it takes to put ShmooCon together? Be sure to check out this talk and learn how it's all done.

If you are around the con send me a tweet on Twitter or stop by the Podcasters Meetup if you want to chat! Hoping I can blog and/or live Tweet from some of the talks.