| Subscribe via RSS

Twitter Accounts Hacked Yesterday

January 6th, 2009 | No Comments | Posted in Attacks, Tools

Yesterday morning I had learned that some Twitter accounts had been hacked.  People were getting DM’s from people they followed with shrunk links that sent them to malicious/phishing websites.  Later that afternoon I checked the Twitter Status page and found this post.

A number of high-profile Twitter accounts were compromised this morning, and fake/spam updates were sent on their behalf.

We have identified the cause and blocked it. We are working to restore compromised accounts.

As a precaution, it would be prudent to reset your Twitter password and make sure email in your settings is your own.

More details to come.

By the end of the day over a dozen blogs had posted about who’s accounts had been hacked and even some screen shots of the crazy Tweets and DM’s.  People smarter then me have written about all the Web 2.0 vulnerabilities that exist and speculation on how the accounts were hacked.  All I want to share are the following points.

  • When you sign-in to Twitter make sure your on the right website. Twitter has an HTTPS login page so before you sign-in make sure your on the SSL page before submitting your user name and password. (I wonder if the SSL cert is MD5 signed?)
  • Remember your Twitter ID is the same as your user name.  So if someone is trying to brute force your account they already have half the info they need.
  • Twitter requires a minimum password length of 6 characters.  But I know from experience passwords over 24 characters work.  So use a unique, long and strong password.
  • Remember you should never need to give your password to a 3rd Party Twitter service.  Any service that requires a password is either a phishing attempt or developed by an idiot.  Either way you don’t want to use the service.
  • If you use a 3rd party client, rather then the Twitter website, your giving up some control.  A rouge 3rd party client could be used as a client and also be phishing accounts.
  • Make sure you know who your following on Twitter.  Only people your following can send you a DM.  You don’t need to follow everyone on Twitter or everyone that follows you.
  • Think twice before clicking on a link.  This is especially true for those that access Twitter from work.  Its one thing to be “social networking” its another to be landing on websites that violate Internet Use policies.

For those that want to read more check out the following links:
Following The Twitter Hack Trail To DigitalGangster
Twitter Gets Hacked, Badly
Celebrity Twitter Accounts Hacked (Bill O’Reilly, Britney Spears, Obama, More)

Remember the point of social networking sites like Twitter is to meet people and build networks.  You can’t do that in a locked box but remember to be responsible when you use any type of technology, Social Networking or otherwise.

If you have anything you would like to add I would like to read about it in the comments.

Tags: , ,

Review: SANS Pen Test Webcast Part 1

October 16th, 2008 | No Comments | Posted in Attacks, News, Web

Yesterday was the SANS Webcast on “Combining Network, Web App and Wireless into the Ultimate Penetration Test,” I had registered to catch it live but my lunch break disappeared under a pile of deadlines. Today I was able to catch the archive of the presentation.

The focus of the webcast was as the title describes, using combined methods and attack vectors during a penetration test. Sometimes depending on the client requirements, a pen test will be requested but with a very limited scope. For example they might only want their wireless network tested or a public facing web application. Usually due to either lack of interest or cost some companies will not get the full Monte? I think this is bad because the results provided from the pen test are only part of the picture. I think that if a business is going to have a pen test conducted it should cover all the potential attack vectors. Otherwise a business might have a false sense of security.

More »

Bluetooth Headset Vulnerabilities Reminder…

September 24th, 2008 | 1 Comment | Posted in Attacks, News

As I find another one of my hands-free bluetooth headsets in the washing machine again (yes, again, I think this is #11 or #12) I wanted to remind everyone about the risks associated with using bluetooth devices.

With the new laws here in California that require drivers to use hands-free devices while driving, I’m starting to see more and more people using bluetooth.  I see them on the road, in restaurants, at work (sometimes connected to work phones) and I wonder if the “wireless” freedom is worth the risk that comes with bluetooth.

Most of you know that bluetooth hacking isn’t anything new.  We all remember reading about celebrities cell phones getting hacked, and having all the contacts and SMS messages stolen.  What I don’t think we all remember is that were are all at risk too.  With smartphones and PDA’s becoming cheaper, everyone is getting one.  I see teenagers to soccer moms with Blackberry’s.  I see students and business professionals with iPhones.  Now you don’t need a smartphone to have all your contacts and SMS data stolen.  Any cell phone with bluetooth enabled is open for attack.  What smartphones adds is the access to more sensitive and private data.  All that useful information you keep on your smartphone or PDA?  Well if you have bluetooth enabled it might be open to attack.

So as I sit here wondering if I am going to go and get another bluetooth headset, I’m thinking about about what I use it for and what the pro’s and con’s will be if I switched to a wired headset.  Oh, and if you think that the only risk is someone stealing SMS messages from your spouse or you mom’s phone number, watch this clip.  That cool bluetooth headset is also a bug that can broadcast everything you say and hear even when your not on a call.  All I have to say is forget Big Brother worry about that innocent looking guy with the backpack and PDA.

httpv://www.youtube.com/watch?v=1c-jzYAH2gw

I would like to know how many of you enable bluetooth and if your worried about privacy or data theft?  Please post your thoughts and ideas in the comments.

reDuh - TCP Redirection over HTTP

September 5th, 2008 | No Comments | Posted in Attacks, News, Web

Have you ever wondered why free web host don’t give you ASP/JSP/PHP access?  Here is one really good reason.  SensePost reDuh is a dynamic web page that can be used to bypass a firewall when you upload the reDuh dynamic web page on to a web server.  It allows you to connect to the web page, then build a TCP circuit to reach the nodes inside the network.

Think web site defacement’s are bad for your companies image?  Imagine someone using something like this to have full access into your companies network.  I’m going to test this when I have the time but I thought if some of you hadn’t read about this presentation at BlackHat I would share it with you.

Make sure your web servers are hardened and that your firewall is properly patched and configured to monitor both ingress and egress between the world, your web server, and your company intranet.  Remember defense-in-depth is a process not a bullet proof plan.  Also make sure your other intranet systems are patched and monitored.

I’ll post more when I have more time with reDuh.  If you have already tested this tool I would like to know what you think in the comments.

Experimental Mail Server Analyzer Online

August 23rd, 2008 | No Comments | Posted in Attacks, Research, Tools

Dan Kaminsky the security researcher that discovered the latest DNS vulnerability has posted a new tool to test DNS servers used by Mail Servers.  I wrote about his DNS Checker a month ago see that post here.  This is another tool to see what DNS your mail services are using.  I tested it with my mail accounts and everything looks to be good.  The DNS vulnerability scope is larger then just DNS servers lots of key parts of the web hook into DNS like email, SSL certificates, FTP and more.  If your note sure if your email is safe check out the tool here.  Let me know in the comments if your email fails the test so others are aware and can take precautions.

Anatomy of a malware scam

August 22nd, 2008 | No Comments | Posted in Attacks, Web, Windows

I see from my Google Analytic’s that lots of you are interested in my post on the Antivirus malware scam going around. I read a great post today from The Register about the “Anatomy of a malware scam” that uses the Antivirus 2009 malware for the basis of the whole article.

I wanted to give those looking for more information about what is “under the hood” of a scam like this the link. I warn you it is very long and detailed post so if you really aren’t that curious about the technical aspects of the scam I would skip it. For those of you that do read it out let me know in the comments what you thought about it.

Samurai Web Testing Framework

August 20th, 2008 | No Comments | Posted in Attacks, Research, SQL Injection, Software, Tools, Web

Last week I had a student ask me about website pen-testing programs.  I told him about a new framework I had heard about called Samurai Web Testing Framework.  Samurai WTF is a Live-CD that uses Ubuntu as the host OS. It comes preloaded with several popular programs that are used for testing websites and web applications.

I haven’t had much time to investigate this tool but it seems like BackTrack for Web Testers. I have to say from a themes point of view I really like the “samurai” and “Edo” splash screens and wallpaper I think it adds some nice details.

You can visit the main website here and download the first version of the Live-CD here. You will need to login as User “samurai” and Password “samurai” I got lucky on my second try logging in. Once you login the README gives you the user name and password. I thought that was funny…

I would like to have time to try this out but I don’t see that happening anytime soon.  I would really like to hear from anyone using this tool.  If you do download it and try it out please post comments on what you think about it.  I will post a follow-up when I have the time.

Fun with Metasploit Framwork and ISR-evilgrade 1.0.0

August 12th, 2008 | No Comments | Posted in Attacks, Research, Software

I am currently updating my Metasploit Framwork labs for one of my class.  Metasploit Framwork always seems to be a hit with my students.  While searching for new lab ideas, that are both useful to learn and easy enough for everyone to follow, I came across a post on the Metasploit blog about ISR-evilgrade 1.0.0.

I know this is old news to most of my readers since it was release over a month ago, but its new for me and I’m guessing for many of my students as well.

The description on the ISR website:

ISR-evilgrade v1.0.0

It’s is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates.

I don’t want to spoil the lab for my students but for those interested here are some links to get you started.  You can visit the ISR website and check out the Readme, Presentation and Demo.

Excellent Study “Cold Boot Attacks on Encryption Keys”

August 11th, 2008 | No Comments | Posted in Attacks, Research

One of the current hot topics in security is the implementation of disk encryption to protect sensitive and personal information.  This is obviously better then no security at all but even disk encryption has it’s weakness.

I was doing research for a lecture on “Cold Boot Attacks” when I found  this study done at the Princeton University, Center for Information Technology Policy.  This is one the best studies on the subject I have found thus far.  If you haven’t read much about “Cold Boot Attacks” this would be an excellent primer.

I have included the YouTube video and the Abstract for quick access to there website but I do recommend  you read the full research paper provided for all the details from the CITP website.

More »