A brief update - top 3 things that can be done to help users weed out spam:

1. Make the block functionality more accessible - did you find it underneath the “Following” legend?
2. Provide basic stats about a user in the notification email - location, bio and some ratio information
3. Use backend monitoring/analysis to `killall -9` spammer accounts (block ratio, usage trends indicative of automation, etc)

As with any social network, spammers appear to take advantage of the collective masses that are gathered and interacting with each other. This is no different on Twitter, where numerous people have complained recently about massive follows from spam accounts. These accounts typically take the form of a high following:friend ratio and a low number of updates. There is even a site devoted to Twitter spam, twitterspam.com. There’s quite a bit of other information we can examine, but let’s tackle this in order of the two main types of spam I’ve come across.

The first is embodied in the @castlebaths account. Statistics that indicate this as a possible spam account:

• 20% of links in the first 20 updates are the same as the bio link
• There are zero replies in the account (note: not unlike a new Twitter user)
• There’s an average of 1.15 updates/follower
• The users “Friends” account for 95% of the aggregate friends and followers

Now this account may very well be legitimate, but I doubt many people want to follow somebody on Twitter that is simply hawking a product and not contributing much beyond that. Taking these values and creating an aggregate score would probably score pretty high on the spam card.

Let’s take a look at another account, @kendra2. This account is a little bit more difficult to identify as spam through the numbers:

• 5% of the urls in the first 20 updates are the same as the bio link (that’s one url for those not counting)
• This account has actually replied to people
• There are only 14 updates, but
• The users “Friends” account for 95% of the aggregate friends and followers

This is an interesting account since it seems to be an actual person trying to interact, but the bio link is actually the telltale sign here - videochatonline is a webcam site and @kendra2 is obviously trying to bring traffic to that site. The numbers do not clearly mark this as spam, but the last two statistics seem to indicate this account has been created solely for the purpose driving traffic outside of Twitter. Other signs are the “pretty girl” avatar, bio link to a commercial site and potentially similar profiles.

As a Twitter user, what other statistics can I use to identify spam that Twitter (or somebody else…) might be able to provide?

• # of my friends that _also_ follow the account
• # of accounts without autofollow that are following the account
• # of inactive accounts being followed by the new user
• Are consecutive accounts being followed?

There’s also a number of back end statistics that can be utilized by Twitter such as unique IP addresses in use across large numbers accounts, clickstream rates and patterns and other similarities across multiple accounts. Reporting spam isn’t always useful, but observing the (generally predictable) behavior of spammers and the interaction of the users with those accounts is a step forward.

Is spam an easy problem? Obviously not or we wouldn’t have blog, email, trackback, comment and postal spam. Will there be false positives? Sure. However the numbers above can help in both the automatic identification of spam accounts and providing users with enough topical information to make smart decisions to help alleviate their frustration as well. Furnishing an easy means by which to report/block spam is also a necessary evil. Twitter has hummed along relatively under the spam radar until now, but it seems it has to accept that spammers will try to take advantage of its users. Giving users the power to identify and avoid spam through the use of statistics will hopefully make Twitter a fruitless source of successful spam.

This is going to be a quick post, mostly because I’m tired from working on that other site and I really need to get some sleep.

I’ve been doing some serious pcap analysis lately. You know the type…where you’ve dumped numerous pcap’s with tcpdump and the wonderful -C parameter. Being the type of guy that I am, I wanted to visualize the traffic I’d captured to identify what was going on. Here’s a few argus commands I used to get the job done. Note I’ve used back slashes (\) to separate the commands onto multiple lines

# Extract specific src mac addresses I'm interested in
for i in `ls ~/captures/pcap*`; do
  /usr/local/sbin/argus -mAJZRU 256 -r $i -w src_macs.argus - \
  ether src 00:00:00:11:22:33 or ether src 00:00:00:33:22:11;
done

Fantastic - now I’ve got an argus data stream that contains traffic solely from a mac or two I was interested in.

# Now let's take a look at top usage for each IP address
racluster -r src_macs.argus -m proto saddr dport -w - | \
  rasort -m saddr pkts -s saddr dport pkts | more

Now that we’ve manually looked through that data and found the top ports (argus used to have a -topN option, but I couldn’t seem to find it) let’s draw some nice-looking graphs. This splits the graph out into directories by date and generates graphs in each directory representing traffic for each particular mac address.

# For each mac address, generate daily usage for the "interesting" ports we saw above
macs="00:00:00:11:22:33 00:00:00:33:22:11"
ports="23 53 80 139 389 443 445 3389 1521"
filter_string=`echo $ports | sed 's/[[:digit:]]*/dst port & or/g’ | sed ’s/ or$//’`

for mac in ${macs}; do
  rasplit -r src_macs.argus -M time 1d -w “archive/%Y_%m_%d/${mac}.arg” - \
    “(${filter_string}) and (ether src ${mac})”;
done

find archive -name *.arg | xargs -I {} \
  ragraph pkts dport -M 1m -r {} -fill -stack -w $(dirname {})/`basename {} .arg`.png

It’s not perfect and it took me quite a while to understand the intricacies of argus (-w - is different from just not specifying an output file, for example), but it’s definitely a start down the road.

There’s a meme going around about socnet ROT measurements and I got pinged by Clay Newton about socnet inputs into security metrics. It’s always interesting to discuss security and ROI, because one of the more elusive aspects of security. Having good security is generally compared to insurance. You don’t realize you need it until it’s too late. OR You pay and pay and pay for it, but never realize the need for it. So what’s the ROI? Not being hacked? How do you monitize that? ROI is hard enough to determine in general, nevermind on a social network where there’s no data. So allow me to ramble for a few brief moments.

Security metrics are somewhat difficult in general, especially if you’re trying to get detail on how much “hacking” is going on. People don’t like talking about being hacked in general, never-mind on a public network. I’ve tried tracking various security related keywords on twitter such as “hacked”, “security”, “hacker” etc and the resulting tweets are pretty limited. So let’s talk about security within social networks themselves.

What are the two primary concerns on social networks? The enormous!!! attack surface and the information disclosure.

Let’s take attack surface first. Organizations have their perimeters relatively well locked down these days. The internal networks are getting better, but still pretty soft. Nevertheless, any security research will tell you that the current target these days is the client, more specifically…the browser. Individuals are becoming much more connected. And attackers have realized that if you can attack the individual, you can gain access to a whole bunch else. Historically there have been a couple widescale attacks on social networks. The samy worm (October 2005) took advantage of an xss bug in MySpace’s site and affected over one million users in 5 hours. Now the samy worm was fairly benign, but there was another attack on MySpace that took advantage of the ad network and a vulnerability in windows metafile to install adware, keystroke loggers and who knows what else. Again, this attack likely affected over one million users. Even this past week, there was an issue with MySpace music pages. So we’ve seen that malware distribution through social networks is definitely possible. But, of course, social networks are getting more dynamic. With Facebook releasing their SDK and OpenSocial coming out, socnets are trying to make it easier to write applications that are portable across all networks. And the only difference between a malicious application and one that’s not…is the intent of the author.

The other concern, of course, is privacy. Imagine a low-profile worm, silently crawling across all networks gathering the information you’ve put about yourself on those networks and compiling it into a giant database. Think, just for a brief moment who you’ve given access to your life. You could build an immensely detailed picture of the past five years of my life by simply crawling the diferent social networks I’m on.

Think of all the hard work you’ve put into making each of your networks complete. MySpace - how many crimes (the most recent is the UW student being accused of murder) have been revealed becauuse of MySpace. OpenSocial - how long did it take to “hack” the first opensoc app? 45 minutes. Facebook - Facebook is “more mature” than MySpace, but it collects a lot more statistics about their users (I believe, because it’s beneficial to then join facebook networks). What if somebody could harvest all of that data. …and then sell it. How’s that for an ROI?! Twitter. To make twitter work, you have to tweet. To tweet, you have to expose information about yourself. To expand your network, you have open yourself up. Unless you already have a network.

So those are a couple of my immediate thoughts when the words security and socnet appear in the same sentence. I realize that didn’t quite address the original question, but I would be happy to answer any specific questions. For now, I must collapse on my German bed.

In my threat modeling and secure coding classes, as well as directly with my clients, I always stress the importance of introducing security as early as possibile in the software development lifecycle. In addition to raising awareness amongst the developers, doing so can help identify potential problems early in the development process as opposed to later when they will require more effort and more cost to fix properly. I recently experienced a real-world example of this that I wanted to share.

I’m working in a building downtown that uses proximity badges to secure offices on each floor. The elevator has a card reader as well, but it requires you to actually insert a different badge. This process is both cumbersome and unreliable. First because you are sliding a card into a fairly small slot and second because people need to jostle around the elevator so they can get directly in front of the slot in order to successfully use the card reader. In the morning rush, it’s not uncommon for your floor to have gone past before you get a chance to swipe your card.

So what do you think this results in?

You got it. In the morning rush one person gets on, slides their badge in and asks everybody which floor they’re going to.

So due to a poor design decision (low-efficiency access control device in a high-traffic area), that control is now effectively bypassed on a regular basis. Another layer of security does exist, but now you’re one step closer. Perhaps this is an acceptable risk to the original designers of this system given the security level of the building and the additional security, but unfortunately I don’t know to what extent they did consider this.

I’ll be making another post in the near future about how some of the design decisions on today’s sites are there to make users “feel” better about the security, rather than implementing effective measures themselves. Sounds familiar.

This is kind of depressing. The new jailbreak method for the most recent iPhone 1.1.1 firmware was publicly announced today…and it relies on a vulnerability within MobileSafari. What a bummer.

Update: I assumed the link posted above was the same as some others floating around, but it is not. The iPhone Dev Team’s jailbreak does not not use the MobileSafari vulnerability. Nevertheless, the below still applies.

When the original iPhone firmware was cracked, applications were loaded on using currently-existing functionality within the iPhone software. I was fine with that. Now, however, you have to actively exploit a vulnerability to gain access to the filesystem. I have a problem actively exploiting software on my phone to install SSH and Yahtzee. This is my phone, my main point of contact…not some handheld game console.

This is what I was expecting from Apple originally. The first iPhone jailbreak was way too easy and I was surprised that Apple would make such a major design decision when they probably had no doubt people would try to break this beautiful little piece of technology. Looks like my intuition was right.

I will follow with a heavy heart as others visit malicious websites in order to put custom apps on their iphones and ipods…ipwn is now even more appropriate, hehe. I for one, will probably just upgrade to 1.1.1 one of these days and say goodbye to those cute little ants crawling across my screen and freaking out people wishing to borrow my phone.

Come on, Apple, give the people what they want. You’re squandering the possibilities of an awesome platform. Here’s a quick tip for you: Web 2.0 partially came about because broadband became cheap and multiple behind-the-scenes calls to a web server were no longer an expensive operation. You can’t put Web 2.0 Apps on a phone that’s got a connection as slow as a turtle and unreliable as a Pacific Northwesterner. Nobody wants to relive the days of the baud-rate modems and spend 10 seconds waiting for a page to load just to use an application.

OK, so perhaps the title is a little misleading, but here’s an interesting excercise in taking a look at issues that have been patched within the .NET framework. There’s a great tool out there by Lutz Roeder called .NET Reflector. Reflector allows you to generate source code (C#, C++, ILAsm, heck even PowerShell) from .NET assemblies. This will be our primary tool for this task.

There was an advisory last month regarding some critical vulnerabilities in the .NET Framework (MS07-040). There was one in issue in particular that was quite interesting:

An information disclosure vulnerability exists in .NET Framework that could allow an attacker who successfully exploited this vulnerability to bypass the security features of an ASP.NET Web site to download the contents of any Web page.

That sounds pretty interesting, but I had yet to see many details beyond that and I was somewhat curious as to where in the code this seemingly simple issue lay. So let’s dig in.

I made a copy of my Framework in C:\WINDOWS\Microsoft.NET\Framework and then installed the relevant patch. Assuming that the issue was in System.Web.dll, I opened each version of that dll in Reflector and exported the source code. Although Reflector does include an assembly diff utility, I wasn’t able to open the two dll’s at the same time as they have the same assembly version. So I had to manually diff the source files until I came on something…”interesting”.

internal static void CheckSuspiciousPhysicalPath(string physicalPath)
{
    if (((physicalPath != null) && (physicalPath.Length > 0)) && (Path.GetFullPath(physicalPath) != physicalPath))
    {
        throw new HttpException(0×194, “”);
    }
}

This CheckSuspiciousPhysicalPath didn’t exist in the previous revision of System.Web.dll and seems like it is attempting to address the issue mentioned in MS07-040. Note that CheckSuspiciousPhysicalPath compares the results of the original physicalPath variable and Path.GetFullPath(physicalPath) and GetFullPath will throw an exception if the path contains any invalid characters.

So now we have at least one potential place where an additional check for nulls is being performed. What’s left is to see if there are other locations and at the same time drop a breakpoint on this piece of code and see if we can trigger it.

It was earlier this year that I became a PCI Qualified Security Assessor. For those not familiar with the Payment Card Industry, this basically means that I am now certified to validate an organizations compliance to the PCI DSS standards, a set of standards enforced by the PCI Security Standards Council to attempt to prevent credit card data theft such as the incident at TJX earlier this year, which has ultimately cost them $118 million. My experience in a broad set of security technologies as well as several years spent auditing various financial institutions left me well-positioned to achieve this certification. Nevertheless, I am always on the lookout for useful references I can continue to rely on.

I came across a good page on Oracle’s site today about Oracle Database Security and the Payment Card Industry Data Security Standard (PCI-DSS). It’s basically a big chart that describes how various facets of Oracle Database Technology can be utilized to meet the different PCI requirements. Quite useful when analyzing an environment with an Oracle backend. I’ll have to look around and see if other vendors have similar references. Then…I’ll have to automate it. *grin*

In a related note, I’m also maintaining a custom Google search for PCI information that I am expanding on a regular basis. Feel free to give it a shot:

My August is going to be interesting. Here’s what it’s looking like.

• Vegas, baby…Vegas. 10 days. And then if I make it back home from Vegas
• My parents are coming to town, yay! Part of the reason is the
• Arthur Murray Summer Showcase
• RNast comes to town and we both attempt to summit Mt. Rainier

That being said, if you’ll be in Vegas for either Black Hat or DefCon let me know as you should stop by the booth and say hi and pick up an invite for the Saturday night party.

Also, if anybody else wants to come visit me in lovely Sea-town you better hurry as the summer is almost over!

Interesting ports on 192.168.x.y:
PORT STATE SERVICE VERSION
41425/tcp filtered unknown
62078/tcp open unknown

Hrm, what could this mystery port be?

I just saw a post about some of the browser capabilities of the new iPhone, and there was one feature that caught my eye:

- new telephone links allows you to integrate phone calls directly from your webpage. remember this is only on safari.

The first thing I thought of was, “Wow, I hope that you can’t somehow execute those links automatically via JavaScript…”. Can you imagine if you browse to a page and your iPhone automatically dials the number of an attacker and listens in on a conversation you might be having? Combine an XSS vulnerability on a high-profile website and a couple of high-profile CEO’s that we _know_ have an iPhone and you could get some pretty interesting dirt!

That would be kind of bad…

Update: Hehe, see.