Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hacking Andrei, Arto, Esko, Markus What kind of threats/attacks there exist in social media? – Emphases on cross site scripting Possibilities and drawbacks.

Similar presentations

Presentation on theme: "Hacking Andrei, Arto, Esko, Markus What kind of threats/attacks there exist in social media? – Emphases on cross site scripting Possibilities and drawbacks."— Presentation transcript:

1 Hacking Andrei, Arto, Esko, Markus What kind of threats/attacks there exist in social media? – Emphases on cross site scripting Possibilities and drawbacks of Web 2.0 technologies How can you protect against these threats?

2 Common Social Networking Security Threats Cross-site scripting (XSS) Enables attackers to inject client-side script into Web pages Uses known vulnerabilities in web-based applications, their servers, or plug-in systems Persistent/Non-persistent Self-XSS: tries to trick user into cutting and pasting a malicious code into browser address bar CSRF/XSR Cross site request forgery The attack works by including a link or script in a page that accesses a site to which the user is known to have been authenticated. Involve sites that rely on a user's identity Exploit the site's trust in that identity Trick the user's browser into sending HTTP requests to a target site Involve HTTP requests that have side effects

3 In practice – Cross site scripting ”OnMouseOver” – Twitter Moving mouse-over text or image launches pop-up redirect into third-party websites Thousands of Twitter accounts have posted messages exploiting the flaw. Victims include Sarah Brown, wife of the former British Prime Minister. “Rainbow tweet” loophole to create tweet that is a blocks of color -> “Rainbow tweet” Blacked out messages hide the true content of the tweets. It was designed to invite clicks or mouse-over actions by readers. Implementations of XSS (cross site scripting)

4 The vulnerability is because URLs were not being parsed properly. For example, the following URL is posted to Twitter:"onmouseover="alert('test xss')"/ You can see that by putting in the URL and the trailing slash, Twitter thinks it has a valid URL even though it contains a quote mark in it which allows it to escape (ie. terminate the href attribute, for the pedants out there) the URL attribute and include a mouse over. You can write anything to the page, including closing the link and including a script element. Also, you are not limited by the 140 character limit because you can use $.getScript(). Case: Technical details of XSS

5 Fix In detail, the offending regex was: REGEXEN[:valid_url_path_chars] = /(?: #{REGEXEN[:wikipedia_disambiguation]}| @[^\/]+\/| [\.\,]?#{REGEXEN[:valid_general_url_pa th_chars]} )/ix The @[^\/]+\/ part allowed any character (except a forward slash) when it was prefixed by an @ sign and suffixed by a forward slash. @#{REGEXEN[:valid_general_url_path_chars]}+\/ it now only allows valid URL characters.

6 " is the best!" When you view the Twitter web page, that becomes a link, like so: is the best! The exploit attacked that link-making function. The raw text of the exploit tweet would read something like this:";onmouseover=";$('textarea:first').val(this.i nnerHTML); $('.status-update-form').submit();"class="modal- overlay"/ The exploit was a classic piece of Javascript injection. Suppose you write a tweet with the following text:

7 Which Twitter didn't protect properly, probably because the @" character combination broke their [HTML] parser. That link would generate the following page source : odays-xss-onmouseover-exploit-on-twitter-com

8 Session hijacking / stealing cookies Exploitation of a valid computer session to gain unauthorized access to information or services Theft of a cookie used to authenticate a user to a remote server Session fixation: attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id Session sidejacking: attacker uses packet sniffing to read network traffic between two parties to steal the session cookie - Wireshark XSS: attacker tricks the user's computer into running code which is treated as trustworthy

9 Technical aspect - Hacking 1:1 Keylogger A program that can record each stroke on the keyboard that the user makes. The software can send a summary of recorded keystrokes to a malicious party Distributed as a trojan horse or as part of a virus Expose login details etc Hardware keyloggers Clickjacking Tricks user into clicking something different than what the user thinks he is clicking Embedded code or a script that can execute without users knowledge. Clickjacked page might have an invisible button or other interface element on top of the original page as a transparent layer and when the user thinks he is clicking a button on the original page he is actually clicking the malicious element. User might end up revealing confidential information

10 Technical aspect - Hacking 1:1(2) Code injection Exploits a bug, design flaw or vulnerability Goal is privilege escalation aka to gain elevated access to resources that are normally protected from an application or user SQL injection: malicious SQL statements are inserted into an entry field for execution Install malware on a computer by exploiting code injection vulnerabilities or by PHP or ASP injection Social engineering Manipulating people into performing actions or divulging confidential information Exploiting cognitive biases

11 Technical aspect - Hacking 1:1(3) Phishing Obtaining private information fraudulently Typically an email with a link to a fraudulent web page disguised as a legimate message from a well known service like a bank or a credit card company. Email often requests "verification" of information and warning of some dire consequence if it is not provided Identity theft Social media sites reveal and encourage users to divulge as much personal information as possible to generate revenue from advertisers Wealth of information available for criminals to hijack identities Password reset Need to know login email Try to reset password and set new email by selecting 'no longer access to old email‘ Educated guess on security question

12 Case: Mat Honan Google account taken over and deleted Twitter account compromised and used to broadcast racist and homophobic messages AppleID account compromised and used to remotely erase all data from his iPhone, iPad and MacBook Hackers exploited Apple and Amazon security flaws Resources: – mat-honan-hacking/all/

13 Components of security Change management – responding to changes – Network monitoring – Risk analysis metric – Preach of confidentiality – Action taken? – case study: Finland.. – Approving security changes – Updates, new software, changes in information ownership Firewall – First line of defense – Turtle defense | Active attack – Port blocking – Ip address range – Traffic source to destination – authentication Proxy – Second line of defense – Logging – Gather access information – Hide existence. – NAT – Masquerade IP translation – Hide critical resources.

14 Protecting against threats Conduct a risk analyses – Level of security – Low risk (studies, website data, etc) – Medium risk (Corporate networks containing business & personnel related information combined - ERP) – High risk (Sources for classified information - Finland foreign ministry) Categorize people involved – Administrator – People responsible - Owner – Privileged – Internal users with greater access – Sys admin – User – Access to resources - Employee – Partners – External people with access - Consultant – Others – Customer Cross Functional security team – System admin – Person responsible from security updates, access, etc. – Hacker – Someone to understand network security. – Policy handler – Someone to blame if things go wrong.

15 Case: Finland says government's data network hit by severe hacking IP lookup / Owner: Fujitsu Finland Oy, Petri Salonen, Malminkartanonkuja 4, 00390, Helsinki. Targetid communication between Finland & EU Officials Finland Foreign ministry Erkki Tuomioja: “We have no evidence to make public and unequivocal allegations against anybody,”. Published by Mtv3 news at 31.10.2013 Detected in early spring (2013) APT (Advanced Persistent Threat) attack References (Reuters & Wall Street Journal – idUSBRE99U0ZL20131031 idUSBRE99U0ZL20131031 – 9169831405170534 9169831405170534


17 Conclusions The concept of hacking is expanding fast It is currently practiced in all layers of society The goal of hacking might not be to harm – aspects of: – Monitoring – Information gathering – Hacking computers into slaves Hostile takeover APT

18 Resources 9u9A 9u9A idUSBRE99U0ZL20131031 idUSBRE99U0ZL20131031 9831405170534 9831405170534 hacking/all/ hacking/all/ exploit-on-twitter-com exploit-on-twitter-com threat-APT threat-APT mine-new-digital-currency/ mine-new-digital-currency/

Download ppt "Hacking Andrei, Arto, Esko, Markus What kind of threats/attacks there exist in social media? – Emphases on cross site scripting Possibilities and drawbacks."

Similar presentations

Ads by Google