Last night in my Intermediate Network Security class we did a lab on information gathering as it pertains to Network Security Assessments. We had discussed in the previous week about Web and Newsgroup searches, WHOIS look-ups, BGP and DNS querying along with Web crawling. I usually reference websites like Google, Netcraft, Fixed Orbit and the like to get the students started. Last year I did a demo of Maltego after I had read about it being showcased at one of the cons. At the time the only real pitch I could make was that it did what a lot of separate web sites did all in one workspace. It was all new to me, but I really didn't learn the full power of Maltego until I started reading articles posts by people like Rob Fuller (Mubix) and Chris Gates (Carnal0wnage).
So I decided this time around I wanted to get the students using Maltego. In that effort I was successful even if it was only for one night. To prepare for the nights lab activity I asked the @SecurityTwits for some help on finding more information about Maltego. Both Mubix and Carnal0wnage stepped forward and shared all that they had. I want to say thanks to both of them and would also like to refer all my students, and anyone else looking for more information about using Maltego, to checkout the following two websites and related articles.
Carnal0wnage - http://carnal0wnage.blogspot.com
Maltego Part I - Intro and Personal Recon
Maltego Part II - Infrastructure Enumeration (links will be updated when posts are published)
Mubix - http://www.room362.com
Maltego 2 and beyond - Part 1
Maltego 2 and beyond - Part 2
Maltego 2 and beyond - Part 3
Maltego 2 and beyond - Part 4 (links will be updated when posts are published)
Maltego 2 and beyond - Part 5 (links will be updated when posts are published)
Tuesday, January 13, 2009
Tuesday, January 6, 2009
Twitter Accounts Hacked Yesterday
Yesterday morning I had learned that some Twitter accounts had been hacked. People were getting DM's from people they followed with shrunk links, that sent them to malicious/phishing websites. Later that afternoon I checked the Twitter Status page and found this post.
By the end of the day over a dozen blogs had posted about who's accounts had been hacked and even some screen shots of the crazy Tweets and DM's. People smarter then me have written about all the Web 2.0 vulnerabilities that exist and speculation on how the accounts were hacked. All I want to share are the following points.
For those that want to read more check out the following links:
Following The Twitter Hack Trail To DigitalGangster
Twitter Gets Hacked, Badly
Celebrity Twitter Accounts Hacked (Bill O?Reilly, Britney Spears, Obama, More)
Remember the point of social networking sites like Twitter is to meet people and build networks. You can't do that in a locked box but remember to be responsible when you use any type of technology, Social Networking or otherwise.
If you have anything you would like to add, I would like to read about it in the comments.
A number of high-profile Twitter accounts were compromised this morning, and fake/spam updates were sent on their behalf.
We have identified the cause and blocked it. We are working to restore compromised accounts.
As a precaution, it would be prudent to reset your Twitter password and make sure email in your settings is your own.
More details to come.
By the end of the day over a dozen blogs had posted about who's accounts had been hacked and even some screen shots of the crazy Tweets and DM's. People smarter then me have written about all the Web 2.0 vulnerabilities that exist and speculation on how the accounts were hacked. All I want to share are the following points.
- When you sign-in to Twitter make sure your on the right website. Twitter has an HTTPS login page so before you sign-in make sure your on the SSL page before submitting your user name and password. (I wonder if the SSL cert is MD5 signed?)
- Remember your Twitter ID is the same as your user name. So if someone is trying to brute force your account they already have half the info they need.
- Twitter requires a minimum password length of 6 characters. But I know from experience passwords over 24 characters work. So use a unique, long and strong password.
- Remember you should never need to give your password to a 3rd Party Twitter service. Any service that requires a password is either a phishing attempt or developed by an idiot. Either way you don't want to use the service.
- If you use a 3rd party client, rather then the Twitter website, your giving up some control. A rouge 3rd party client could be used as a client and also be phishing accounts.
- Make sure you know who your following on Twitter. Only people your following can send you a DM. You don't need to follow everyone on Twitter or everyone that follows you.
- Think twice before clicking on a link. This is especially true for those that access Twitter from work. Its one thing to be "social networking" its another to be landing on websites that violate Internet Use policies. UPDATE: TinyURL will let you "enable" the preview feature on all TinyURLs before visiting the linked to website. This only works for TinyURL, to enable it go to http://tinyurl.com/preview.php.
For those that want to read more check out the following links:
Following The Twitter Hack Trail To DigitalGangster
Twitter Gets Hacked, Badly
Celebrity Twitter Accounts Hacked (Bill O?Reilly, Britney Spears, Obama, More)
Remember the point of social networking sites like Twitter is to meet people and build networks. You can't do that in a locked box but remember to be responsible when you use any type of technology, Social Networking or otherwise.
If you have anything you would like to add, I would like to read about it in the comments.
