Blog de Matias Katz Hablamos un poco de seguridad?

31Oct/110

Facebook or SET ?

The title refers to SET (Social Engineering Toolkit), as proven repeatedly and sometimes acts as a platform facebook spread of phishing.

Again, we observed a modest, permissive design error by Facebook that allow an attacker to generate a vector for the spread of phishing. Again, there are no reports so far on the misuse of this feature.
Previously published an article that is directly related to this attack: Social Engineering via "I like" button, if not read it yet, we invite you to do a quick review to a better understanding of the possible combinations.

As detailed in the previous article, an attacker can make the design decision to increase the reliability and reputation of a note, and then modify it and post links to malicious content in it. In this particular case we add the possibility of generating 2 new additives that make it "striking" the note when you click on a link course harmless.

First, we can insert photos in the note, something known long ago. In our case we were able to insert the image from an external URL using HTML code on the note.

Example:

<img SRC="http://www.mkit.com.ar/imagen.jpg" alt="imagen"></img>

Second, through trial and error, we insert a "a href" with the possibility of moficar name hyperlink.

Example:

<a href="http://www.dominiomalicioso.com/malware.exe">http://www.mkit.com.ar/blog</a>

Again, an attacker can "hide" Thanks to these features, the redirection to a contaminated site or with an elaborate hoax to make the user to fall into their trap.

In routine testing of the operation of "Possible" attack, we see certain behavior:

  1. If you share the note on the wall and, if added as a hyperlink name the expression "http://", and try to click on the link of note in the wall, you will be redirected to the site says the NAME of the link no matter what the "a href". in the example above, it redirects to "http://www.mkit.com.ar/blog" instead of "http:// www.dominiomalicioso.com/malware.exe ".
    Wall Redirect WITH "Http://"
  2. If you share the note on the wall and, if not added as no expression hyperlink name such as "http://", it appears in the publication of the wall as plain text, if you ever get into the preview of the note.
    Wall Redirect WITHOUT "Http://"
  3. If you try to click on the hyperlink in the note, then in any way going to be directed to the point where our "a href".
    Redirect From Inside the Note

We may also use Short URLs to obfuscate a little reading the status bar to prevent users who pay a little more attention.

In this particular case, select a topic of current interest to see the curiosity. The redirection is done to a script within the same domain that keeps track of visitors to measure the impact it would have if we publish malicious content.

Victims Counter

In a rough set of 300 nodes, a Monday 1:30 am, just 40 minutes of publication, this is the partial result:

As much as my contacts to trust me and know that for that reason are free of worry (I hope at least ..), create a habit on the user to supply the level of design flaws by modern applications day.

In this case, is a personal account, with few nodes. Imagine if someone's account with more than 1000 contacts were stolen! Within minutes, an attacker would be layers of stealing hundreds and hundreds of data or compromise the amount of equipment.

Possible solution:

Do not allow users to use HTML tags to create notes: Certainly, there is little "aesthetic" leave the raw URL without changing its name. However, it could be a differentiation between users "Corporate" and "Regular" and give extra permissions to the first most likely make good use of this feature.

Educate the user: Having the "Advance" phishing vector previously reported, we believe in this and in most cases, the most efficient and effective way to prevent an attack, the user and instill discipline will gradually safe practices when surfing on social networking much like any network. Reading the status bar is still extremely important before clicking on any hyperlink.

Source: Gustavo Nicolas Ogawa, from Mkit's Blog redaction

Compartir Post
  • RSS
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Yahoo! Buzz
  • LinkedIn
  • Twitter
Tagged as: , , , , , , , , , , , No Comments
28Oct/110

Facebook Simplifies Phishing Attacks

Again, we present a 0 day in facebook phishing techniques. Fortunately we have not seen the technique in operation. Through continuous research of the platform, we can deduce certain vectors of attack to warn security experts and developers, before the vectors are exploited on a massive scale, thereby reducing their future effectiveness.

Every time we post a link, either on our wall or the wall of someone else's content is generated which Facebook calls "Preview"

After copying the link in the sector to make the publication, the preview is generated and provides information on one page which redirects to the link, read Domain Name + Forwarding link .

If we wanted, we could delete the link to the publication sector and make it look just the preview.In this way alone would be enough to click on the image preview or Link to be redirected.

Post Without Link on Comment

In the same way, we could post malicious content as Facebook allows us to Link more than 1 content by post, but only allows one preview.

2 links in 1 Post

As we see in the image appears in both the preview link + Hotmail, and also appears in the Comment link for Gmail.

Now, taking advantage of these facilities provided by the application and making the URL shorteners, an attacker would be able in theory, to increase the chances of getting infected by a single publication containing 3 directions:

  1. Malicious link
  2. The name of the alleged link to be redirected
  3. Original link

Looking in detail the image with true redirect can distinguish the following:

  1. Text Comment from FB.
  2. Name hyperlink (Sign In).
  3. Link in plain text (login.live.com).
  4. Review of the page.

Looking in detail the false image redirect we can see:

  1. Comment Text Short URL FB + (A PoC mode redirects to gmail.com) ---> It prompts the user to login from the link.
  2. Hyperlink Name (Sign Up) ---> Sign Up If pressed, the redirection would be to the origianal site, so its modification to avoid in a way that the user clicks. Sign Up = Register.
  3. Comment on the page:

If you want to log on, follow the link above or the following LINK: http://goo.gl/93aP6. To create an account SIGN UP tighten

Another example:

Malicious

If you use a service to "Unzip" we cut the link produces the following result:

Expand

Featured Site: http://longurl.org/

As shown in the result, the redirection is done to http://login.liveS.com/ which is not the same as https://login.live.com/

There are 4 key factors in the attack:

  • Facebook allows us to write more than 1 hyperlink per publication
  • Facebook creates a "Preview" page
  • Facebook in the preview, make a detail of the "name link" (manipulated)
  • Facebook lets us modify the contents of the publication.

There is a negative factor in the attack:

  1. The original redirect hyperlink preview CAN NOT CHANGE. Ergo, even if the attacker changes the name of the redirect link, if the user clicks on that link, it will be redirected to the original anyway.

From the Negative factor, we deduce (very easily), that the chances of effectiveness, are reduced to 50% as 2-1 link with redirection leads us to an attack site, and 1 leads us to the authentic site. However, as demonstrated in the case of Sign In / Sign Up, would achieve a diversion "semantics" of such redirection.

Of the key factors of the attack, we can deduce:

  • A user easily fall into the trap of being a phishing 0 day.
  • Previewing increases the reliability of the redirection
  • Facebook it increases the reliability of the publication
  • The "Link Name" is the second key to phishing because we can change at will, thus increasing the reliability provided by the user to click.

To avoid falling victim to a phishing scam of this nature, we recommend a conscious use of social networks. Do not trust everything it seems.

- Read carefully the status bar posing the mouse over the hyperlink to see the direction it points.

- If it is a "Short URL" enter somewhere expansion redirection links to view original.


Source: Gustavo Nicolas Ogawa, from Mkit's Blog Redaction

Compartir Post
  • RSS
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Yahoo! Buzz
  • LinkedIn
  • Twitter
Tagged as: , , , , , , , No Comments
13Sep/110

Social Engineering in Facebook through the “Like” button

Compartir Post
  • RSS
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Yahoo! Buzz
  • LinkedIn
  • Twitter
Tagged as: , , , No Comments
21Jun/115

My talk at Buenos Aires Futura

The Buenos Aires Futura will be held on next weekend, the most important technological event in the city of Buenos Aires, organized by the government of the City of Buenos Aires.

The main objective of the event is to join public of all ages with the newest tendencies through a masive festival that will hold all types of innovations, delivered by the major brands of the world directly to the users, so they can discover and interact in the amazing world that technology has to offer.

Dozens of professionals will be talking about their experiences and knowledge in the subject, focusing in the general public and the everyday good practices.

I will be giving a talk about security in social networks, next to Federico Pacheco (ESET) and Santiago Cavanna (Symantec).

We will discuss the risks involved in the use of these technologies, the good practices to keep our profiles secured, and all the information parents need to know before authorizing their children to get into the social network world, in order to stay calmed.

We will be on sunday, June 26th at 2 PM at the planetarium.

Link to the event (Spanish): http://www.buenosaires.gob.ar/futura/

Link to the official invitation: http://cai.mdebuenosaires.gov.ar

How to get there: http://mapa.buenosaires.gob.ar/

I'll see you there!

Compartir Post
  • RSS
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Yahoo! Buzz
  • LinkedIn
  • Twitter
Tagged as: , , , , , , , 5 Comments
19Apr/1110

Facebook is still insecure

I've run into this shocking error message from my browser several times last week:

As a good paranoic person I am, the first thing I thought was:

  1. I got into a Rogue Access Point
  2. They did a Man-In-The-Middle with a fake certificate
  3. I've been surfing for 10 minutes until I saw the error, so there's a big chance somebody has seen my activity
  4. FUUUUUUU (for those of you not familiarized with the MEME, see it here)

Desperate, I analyzed the gateway's MAC against my Access Point's MAC (to which I have physical access to and could see the MAC address directly from the device) and everything matched. So I thought "ok, they did their job and ran away". So I started checking connection logs and more, and all indicated that I'd never hooked to any hotspot other than my own Wireless network. I sat and thought WHAT could have happened... Without answer.

Until I thought about checking the browser error in detail:

(The image shows that although an HTTPS session has been established, some of the content is being transferred in plain text)

It turns out that in my false sense of security, given by surfing the social network through HTTPS, there are still some insecure components that escape through the side. This activity is to expect, since webmasters organize the site in order for the content without personal value (such as ADs, generic site images, etc) to be transmitted in plain-text to reduce the overhead caused at the server when establishing a secure channel.

As I was already with my hands in the cookie jar, I decided to analize what specific content was transmitted in plain-text. so I checked the site source code, and big was my surprise when I ran into the following:

External links were transmitted to the user in plain-text. WHY ?? This is not necessary!!

I understand that the user will eventually end up surfing in plain-text through external links (since not every site offers HTTPS services), but at least inside Facebook they could be kept encrypted.

This is how it should be:

Facebook should obtain the insecure content from the original server and embed it inside its SSL channel.

However, this is what's actually happening:

The user is being fooled, by thinking that all his/her content is being transmitted securely. However Facebook, in order to avoid resource consumption in their servers, allows for an important security hole.

So I recommend you to be carefull with the information you manage through Facebook, even if you see HTTPS in the title. And when you see an error message in your browser, read it in detail.

Bye!

Compartir Post
  • RSS
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Yahoo! Buzz
  • LinkedIn
  • Twitter
Tagged as: , , , , , 10 Comments
   Older Entries »
View Matias Katz's Company

View Matias Katz's profile on LinkedIn View Matias Katz's profile on XING

Tags

barcamp Blog Capacitacion Charla Cloud Computing ClustrMaps CXO Dilbert encriptacion Entrevista event Evento Facebook Flisol Google Hacking hosting HTTPS IIS Ingenieria Social Interview iSCSI Target Linux Metasploit Mkit multiples dominios news noticias phishing provisioning Redes sociales San Security Seguridad Seguridad Informatica Social networks SSL Starwind Talk Training video virtualizacion web server website Windows Server

Recent Posts

Archives

Locations of visitors to this page