Just a quick blog post about the latest release of Maltego that was just announced. This is great! You can now create custom transforms that will integrate directly with Maltego! This is something that many of us have requested and it's finally here. From first glance it looks like you can code them in any language as well. Should be interesting to see what the community comes up with in regards to transforms now. I know I have some ideas....

Oh and if that wasn't enough the pentest entities are now also available locally!

Great work Maltego team! Check out the full announcement here.

What is Maltego if you don't know about it?
"Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.

The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet - whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information."

Read more about Maltego here.

I won't beat a dead horse...we all know that Twitter had a few *security issues* this week. The good news is that usually once something like this happens to a company (especially one that gets so much media attention) things start to change and security gets taken a bit more seriously. Lets remember that Twitter suffers from the traditional security problem of not building an application with security in mind, however, lets hope these issues bring change to one of the most used social media services.

Below is the break down of events with some of my own comments and links to good articles that detail out everything that happened.

#1 Twitter Phishing Attack
I wrote a blog post about this a few days ago. Basically, this is no different then what you see in any other traditional phishing attack except that this is the first time Twitter was targeted on a large scale. Some have even said this was a "worm" because of the way that the phish propagated.

Once a user clicked on the bogus link, entered in their Twitter credentials...their Twitter account was compromised and automatically used to send DM's (direct messages) to others the compromised user was following. Twitter quickly reacted and worked with blogspot and others to shut down the redirect. However, the web site that hosts the fake Twitter sign-on page is still active and is even being used to phish Facebook users! Why is this not shutdown? Long story but the site is hosted in China and that presents a whole host of issues to get the site taken down. The good news is that if you try to go to the URL in Firefox or Safari the phishing filter kicks in and stops you from going there. I haven't tested IE 7...and neither should you. :-)

On a side note, I agree that OAuth (or something like FriendFeed's Remote Key) should be implemented as part of an overall security strategy for Twitter but would not prevent traditional phishing attempts like this from happening (some others share this opinion as well). OAuth is good for authenticating third-party applications (like Twillow or Twitterfeed) that require your Twitter credentials to access your account and do things on your behalf. Lot's of discussion going on the blogs about this and I'm sure it will continue.

Links that have good information about the Twitter phish: Twitter's Blog, Naivete: Web 2.0’s biggest security threat and an article over at Twitter Truth

#2 Twitter gets Hacked
This was not related to the phishing incident. Pure weird coincidence that this happened right after users started to figure out what happened with the phishing issue. Ironically, many of us on Twitter (including myself) thought that this was related to phishing after we saw @foxnews get owned but once Britney Spears, Obama and others started showing up with strange tweets many of us knew there was something else going on.

Basically, an 18 year old who wanted to "pen-test Twitter" decided to build a Twitter brute force application that would try common dictionary words against at specific Twitter account. One problem with the current Twitter security model is that there is no lockout policy, meaning, you can try as many failed passwords as you like until you get lucky with the correct password. This guy found one of the accounts used by the Twitter support people (Crystal) and brute forced the password using his tool. Password of "happiness" was found and he was in! There was a password reset feature in the administrative panel that allowed him to reset the password and change the email address of any Twitter account. He didn't use the accounts himself, rather...he posted that he had access to 33 accounts and gave access to others in a hacker forum that requested the accounts. You can read more about this in the Wired article below as well as see the YouTube video that the hacker put up to prove he did the hack.

Weak Password Brings 'Happiness' to Twitter Hacker

How does Twitter get fixed?
Security is always about compromise and with Twitter in particular there has to be a balance between usability and secure features. I was a guest on the SecuraByte podcast the other night talking about the recent Twitter security issues as well as how to secure social media in general. We came to the conclusion that there is no good answer. However, we all agreed that there has to be a mix between technical and non-technical solutions. The technical being better forms of authentication and basic web application security controls (account lockout, email verification..as examples) for starters. On the non-technical side there has to be more basic security education (setting unique hard to guess passwords as an example) focused on the users of social media through lots of different means. There is no good answer to these problems and there are many different opinions but hopefully we can all come to some common ground so we can all make social media more secure for everyone.

Here are a few good links with things that Twitter should consider when re-evaluating the current model:

Ten Security Measures for Social Networking sites - ThreatChaos
Twitter and the Password Anti-Pattern - FactoryCity
The inevitable rise (and fall?) of ‘twishing’ - Jennifer Leggio ZDnet (guest post by Damon Cortesi)

I think we can all agree that Twitter needs to do something soon as the current security model is not sustainable for very much longer.

What are your thoughts on the recent Twitter security issues and social media security in general? How do you think we can we make social media more secure?

Welcome to 2009! As many have said...it was just a matter of time before Twitter had a somewhat significant attack...well, here it is! I just had a post up last week about how many of us that use social media just blatantly trust every site that asks us for Twitter credentials. Well if you don't look at the URL carefully even the security aware could be fooled by this one. Tonight there was a lot of tweets about the following phishing attack....

You will get a DM (direct message) in your email from a user with the following message:

hey! check out this funny blog about you...
hxxp://jannawalitax.blogspot.com

If you click on blogspot link this is basically a redirect to the following fake Twitter site:



Looks just like an identical copy of the real Twitter site except for the URL! (don't go to this URL...)

About an hour after this started going around Twitter it looked like Firefox 3 picked up that this was a reported phishing site and you now get the following message:



Looks like Twitter and others moved quickly to get the redirect shut down. If ignore the Firefox warning to the blogspot page you get this:



However, the phishing site is still active and will probably be for awhile. Do not enter in any login credentials at any site other then twitter.com. The fake site in this case is twitter.access-logins.com/login. Note that if you take off the "login" at the end of the URL you are sent to a fake Facebook login page! Looks like these guys have been doing this for quite some time.

One interesting note about this attack...how does someone send you a DM without you following them? There was an interesting hack that is documented here that used to work, however...Twitter fixed this a few months ago. My only guess is that multiple hacked accounts were used to send legitimate DM's. I'm not 100% sure how DM's are being propagated in this case but it should be interesting to find out how the attack started in the coming days.

Kudos to the Twitter team and all the Twitter users that retweeted and got to word out. This alone hopefully mitigated much of the threat. I even saw in the Twitter web client that @twitter posted a warning message on the page about the threat. Great work Twitter team!

What if you gave your credentials away to this site?
Change your password immediately! Also, do you use this same password for Facebook, Myspace, email and other sites? Change those as well! Give a password manager like 1password or KeePass (KeePass is free BTW) a try to set unique passwords for every site/application you use. That way if your Twitter account did get compromised, your other accounts are safe. See this post for more information.

There was a good post over at ThreatChaos the other day about a new Firefox extension which will automatically show you the real URL's of shortened URL's. What is URL shortening? For example...this long URL:

http://www.google.com/maps?f=q&hl=en&geocode=&q=washington+dc&sll=37.0625,-95.677068&sspn=33.764224,56.25&ie=UTF8&ll=38.905996,-77.023773&spn=0.25915,0.439453&z=11&g=washington+dc&iwloc=addr

becomes...

http://tinyurl.com/9lum95

By using a service like Tinyurl or one of the many other sites available you can easily shorten a URL so your friends don't freak when you send them long links. When it comes to Twitter it becomes almost mandatory that you shorten that long URL to meet the 140 character limit in your tweets.

What's the problem?
Getting people to click on a malicious link just got easier with these services. Sure, people will still click on strange URL's without a mask (even manually typing in strange URL's as I showed in this post), however, by masking *any* URL with these services a phishing or malware attack can be even more successful.

Also, how can you *easily* see what the real site is behind one of these short URL's? TinyURL and others offer you a service to "preview" URL's but many sites don't offer this and who is actually going to attempt to manually verify what is behind those links? That's way too much work.

Another problem is that some of these short URL services allow you to obfuscate an already short URL with another short URL. Take for example Xrl.in. The TinyURL above (http://tinyurl.com/9lum95) becomes http://xrl.in/1b0i. This throws off the preview feature of many sites like this. This problem could add multiple redirects and levels of obfuscation to malicious links. All it takes is the right combination of short URL sites.

Right before I was about to post this I saw a post by Jennifer Leggio over at ZDNet regarding the URL redirection issue. She mentions that FriendFeed has implemented a feature that reveals short URL's if you hover your mouse over the links. This is great...for FriendFeed, what about other more popular social media sites? Check out her article for a good overview of the issue and some interesting information about what other social media sites are doing and not doing about this problem.

The "Long URL Please" Solution
While not 100% perfect this a great start and it looks like the developer is working on improving the Firefox extension and API. You can even use it with other web browsers besides Firefox with a bookmarklet available on his site. Simply click on the bookmarklet and it will transform all the short URL's on the web page currently loaded.

The Long URL Please Firefox extension will automatically show you the true URL of 30 supported short URL site's. No hovering over a link or clicking to a site to preview it. It just shows you the link...no extra work on your part. This works great for the Twitter web client as well as any web page that has a link from one of the 30 supported services. One problem I saw was that short URL sites like xrl.in and others will keep popping up (I listed a site above that links 70 of these services). It's going to take some work from the developer side to keep up with all of these new services. In addition, this doesn't help with Twitter applications like ones that are Adobe Air based or developed using another type of framework. However, it looks like the developer is working on it and he is trying to get other applications to integrate to his API. Either way, check out this great extension and follow the developer on Twitter to get news on improvements. I look forward to see how this type of extension will evolve.

Short URL's won't be going anywhere soon...lets hope social media applications and end users start using them with a little bit security in mind.

What solutions do you think could solve the short URL problem?

This is really cool. The guys that brought you the JanusVM Internet Privacy Appliance are about to release instructions on how to make a hardware privacy adapter. What is a hardware privacy adapter you ask?

Via Hack a day:

"It’s a small two port router. You just plug it in-line between your computer's switch and your internet connection. It will then anonymize all of your traffic via the Tor network. You can also use it with OpenVPN. The hardware appears to be a Gumstix computer mounted to a daughtercard with two ethernet ports. It will have a web configuration just like a standard router. This looks like a great plug-n-play privacy device."

Once you buy all the parts you can build your own for about $250. Not too bad for an easy way to anonymize all of your traffic over the Tor network or a VPN. Tor and Privoxy can sometimes be a real pain to configure so something like this would be fantastic to just plug in and configure once. It's also nice that is can use OpenVPN as well.

My only issue with Tor is that it can be *really* slow for web surfing depending on what relays you connect to and there are some warnings you should be aware of. Also, your Tor installation needs to be updated frequently as the development team is always making updates and improvements. However, Tor is better then nothing if you are concerned with online anonymity.

Kudos to the JanusPA team...looks like I might have a hardware project to work on next year once the instructions get released.

It's always interesting to me when I check out a new Twitter application, it always seems to ask you to "verify" your account or ask you to pass your Twitter user name/password to their application. This of course is done without any protections or any way of knowing what happens to your account information on the other end.

Take for example a recent find called Twellow which is basically a big directory of Twitter users (like the yellow pages). Twellow has some neat features like searching for other Twitter users by keywords and interests. Twellow like many of these types of Twitter applications work by scraping public timelines to populate their site with your information. Twellow asks you to "claim" your profile by putting in your Twitter password. This is where it gets interesting...

To the unsuspecting user it's tempting to just give your credentials away to every website that asks for it. Twellow is a good looking, legitimate website right? Did you stop to think what could happen to your login credentials? Can you really trust that they don't record your credentials? The disclaimer says they don't use your password for anything...you trust everyone right? :-)

What's your Twitterank?
If you are a heavy Twitter user you may remember the Twitterank fiasco about a month ago. Like many people on Twitter just hearing of a website that will calculate your "rank" on Twitter sounded like a cool idea. No harm in this right? Rumors quickly spread on Twitter and in the blogosphere that Twitterank was a phishing site and that the developer was harvesting Twitter accounts. It ended up that this was most likely a legitimate application...BUT...why do you trust it? Why as social media users do we blatantly trust every Twitter or social media developer out there? No offense to the developer of Twitterank but there are way too many of these sites out there that ask for your account information. A real Twitter phishing site is easy to do using these same tactics. All you need is a legitimate looking website that preys on human weakness...we all want more followers and more rankage, right? For example, if you want to see a spoof Twitter phishing site, check out Twitter Phisher done by the fine folks over at Hak5 (be sure to view source in your browser for some extra lolz).

What's the fix?
First, social media users need more education. Seriously, don't just give your credentials away to anyone that asks for it (this actually applies to everything in life). Is your Twitter ranking really that important?

If you did give your credentials away, hopefully you used a different and unique password for that particular account. That way, if your account did get compromised then only one account is compromised, not your entire portfolio of accounts. How do you manage multiple passwords? Give a password manager like 1password or KeePass a try to create and manage unique passwords for each of your social media accounts.

Secondly, social media websites like Twitter need to use better forms of authentication. How about something similar to what FriendFeed is doing by issuing users a "remote key" for all third-party interactions with your account. Of course this isn't perfect but it's a step in the right direction. I applaud FriendFeed for having the remote key functionality a required part of the API. BTW, Twitter has been talking about using nifty solutions like OAuth, so do it already @Twitter! HTTP Basic Authentication just doesn't cut it.

Authentication of user credentials and social media is a big problem...(actually verifying who you say you are is a another topic altogether). What authentication solutions for social media do you think should be adopted?

Looks like the Notacon website has updated the speaker list and there looks to be some really good talks so far. Here is the list from the Notacon 6 website and blog post:

Time To Replicate The Real Threat: Client Side Penetration Testing
CG & g0ne

Interactivity with Arduinos, Transducing the Physical World
droops & Morgellon the Lowtek Mystic

Fun With The MSP430 MCU
Travis Goodspeed

Hacking Light - How we came to love Holga and Other Stories of photo hi jinx
Jeon & Treize

"Pilates" for Common Cubicle Injuries
Michele Martaus

Super Jason Scott Presentation 64
Jason Scott

Programming The Sega Genesis For Mad Profit and Crazy Mad Profit
SigFLUP

Hacking Cognition
Tottenkoph & Selkie

Intro to Go
Jason Viers

What is Notacon?
Notacon is one of the most unique conferences you will ever attend! Notacon 6 is April 16th - 19th 2009 held in Cleveland, Ohio. Notacon explores and showcases technologies, philosophy and creativity often overlooked at many "hacker cons". Registration is open!

Looks like the fine folks over at Paterva have released version 2.01 of Maltego. If you don't know what Maltego is...look here. Check out some of the changes and new features. From the announcement:

Features:

* Copy and paste to/from graphs
* Copy and paste to/from text
* Above can also function as ‘import’
* Zoom to pointer
* Looking glass zoom mode
* Added notch on slider that will return 10,000 entities (if your RAM can stomach it)
* Brought back ‘Run All Transforms’ - you asked for it!
* Cancel transform run (e.g. i clicked on the wrong transform and it’s taking forever while my graph is turning into a green mush, can we please stop this now)
* Easier Mac install

Fixes:

* Authentication proxies now works (including NTLM)
* Cancel on entity export (small annoying fix)
* Transform manager window resizes properly (useful for those on E^3s)
* The dreadful save bug has been fixed (if you never saw it count yourself lucky)

In addition they note the in the upcoming 2.1 version they will be allowing local scriptable transforms! I am really looking forward to this feature as the custom transform creation process will hopefully get a whole lot easier.

Note that the main download page doesn't have the new package yet so if you want it now you need to get the download links from the forum post here. I would expect the main site updated later today.

Also...the crippled "community edition" is still on the old version for now (updated shortly I am sure). By the way, it's only $430 USD for the first year, $320 USD per year thereafter for a license of the commercial version...well worth it!

There is a new group forming in Northeast Ohio for IT professionals focused on the younger generation and is an opportunity to network and learn from one another. The first meeting is at the Great Lakes Brewing Company on December 10th @ 6pm (downstairs in the beer cellar). Cost is $15 to help with appetizers but is open bar! Read: Great Lakes has Christmas Ale on tap!

If you plan on attending please RSVP to Devon Campbell (dcampbell2 [aT] mcpc.com).

This event should be a great way to network and meet others in the area! Hope to see some of you locals there!

You may have noticed that I removed the SBN (Security Bloggers Network) badge from my blog and that the SBN Feedburner site has not been updated in several weeks. Well, Alan Shimel has officially moved SBN over to Lijit. Lijit is kind of like FriendFeed but is really more about searching, linking searches, and putting your socnets together. It should be interesting to see how Lijit will improve distribution of the SBN site content. You can check out the new SBN here. If you haven't checked out the large list of blogs that belong to the SBN...you really should! Lot's of great security bloggers are on the list.

Subscribe to the SBN from here via RSS or OPML.