180 likes | 390 Views
Hacking Andrei, Arto , Esko , Markus. What kind of threats/attacks there exist in social media? – Emphases on cross site scripting Possibilities and drawbacks of Web 2.0 technologies How can you protect against these threats?. Common Social Networking Security Threats.
E N D
HackingAndrei, Arto, Esko, Markus What kind of threats/attacks there exist in social media? – Emphases on cross site scripting Possibilities and drawbacks of Web 2.0 technologies How can you protect against these threats?
Common Social Networking Security Threats Cross-site scripting (XSS) • Enables attackers to inject client-side script into Web pages • Uses known vulnerabilities in web-based applications, their servers, or plug-in systems • Persistent/Non-persistent • Self-XSS: tries to trick user into cutting and pasting a malicious code into browser address bar CSRF/XSR Cross site request forgery • The attack works by including a link or script in a page that accesses a site to which the user is known to have been authenticated. • Involve sites that rely on a user's identity • Exploit the site's trust in that identity • Trick the user's browser into sending HTTP requests to a target site • Involve HTTP requests that have side effects
In practice – Cross site scripting ”OnMouseOver” – Twitter Moving mouse-over text or image launches pop-up redirect into third-party websites Thousands of Twitter accounts have posted messages exploiting the flaw. Victims include Sarah Brown, wife of the former British Prime Minister. “Rainbow tweet” loophole to create tweet that is a blocks of color -> “Rainbow tweet” Blacked out messages hide the true content of the tweets. It was designed to invite clicks or mouse-over actions by readers. Implementations of XSS (cross site scripting)
Case: Technical details of XSS • The vulnerability is because URLs were not being parsed properly. For example, the following URL is posted to Twitter: <ahref="http://thisisatest.com/@"onmouseover="alert('testxss')"rel/" target="_blank" =""> http://thisisatest.com/@"onmouseover="alert('test xss')"/ </a></span> You can see that by putting in the URL and the trailing slash, Twitter thinks it has a valid URL even though it contains a quote mark in it which allows it to escape (ie. terminate the href attribute, for the pedants out there) the URL attribute and include a mouse over. You can write anything to the page, including closing the link and including a script element. Also, you are not limited by the 140 character limit because you can use $.getScript().
Fix • In detail, the offending regex was: REGEXEN[:valid_url_path_chars] = /(?: #{REGEXEN[:wikipedia_disambiguation]}| @[^\/]+\/| [\.\,]?#{REGEXEN[:valid_general_url_path_chars]} )/ix • The @[^\/]+\/ part allowed any character (except a forward slash) when it was prefixed by an @ sign and suffixed by a forward slash. • @#{REGEXEN[:valid_general_url_path_chars]}+\/itnowonlyallowsvalid URL characters.
The exploit was a classic piece of Javascript injection. Suppose you write a tweet with the following text: "http://www.guardian.co.uk/technology is the best!" When you view the Twitter web page, that becomes a link, like so: <ahref="http://www.guardian.co.uk/technology"class="tweet-urlweb"rel="nofollow">http://www.guardian.co.uk/technology</a> is the best! The exploit attacked that link-making function. The raw text of the exploit tweet would read something like this: http://a.no/@";onmouseover=";$('textarea:first').val(this.innerHTML); $('.status-update-form').submit();"class="modal-overlay"/
Which Twitter didn't protect properly, probably because the @" character combination broke their [HTML] parser. That link would generate the following page source: <ahref="http://a.no/@"; onmouseover="; $('textarea:first').val(this.innerHTML); $('.status-update-form').submit(); "class="modal-overlay"/ class="tweet-urlweb"rel="nofollow"> http://stackoverflow.com/questions/3762746/todays-xss-onmouseover-exploit-on-twitter-com
Session hijacking / stealing cookies • Exploitation of a valid computer session to gain unauthorized access to information or services • Theft of a cookie used to authenticate a user to a remote server • Session fixation: attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id • Session sidejacking: attacker uses packet sniffing to read network traffic between two parties to steal the session cookie - Wireshark • XSS: attacker tricks the user's computer into running code which is treated as trustworthy
Technical aspect - Hacking 1:1 Keylogger • A program that can record each stroke on the keyboard that the user makes. • The software can send a summary of recorded keystrokes to a malicious party • Distributed as a trojan horse or as part of a virus • Expose login details etc • Hardware keyloggers Clickjacking • Tricks user into clicking something different than what the user thinks he is clicking • Embedded code or a script that can execute without users knowledge. • Clickjacked page might have an invisible button or other interface element on top of the original page as a transparent layer and when the user thinks he is clicking a button on the original page he is actually clicking the malicious element. • User might end up revealing confidential information
Technical aspect - Hacking 1:1(2) Code injection • Exploits a bug, design flaw or vulnerability • Goal is privilege escalation aka to gain elevated access to resources that are normally protected from an application or user • SQL injection: malicious SQL statements are inserted into an entry field for execution • Install malware on a computer by exploiting code injection vulnerabilities or by PHP or ASP injection Social engineering • Manipulating people into performing actions or divulging confidential information • Exploiting cognitive biases
Technical aspect - Hacking 1:1(3) Phishing • Obtaining private information fraudulently • Typically an email with a link to a fraudulent web page disguised as a legimate message from a well known service like a bank or a credit card company. • Email often requests "verification" of information and warning of some dire consequence if it is not provided Identity theft • Social media sites reveal and encourage users to divulge as much personal information as possible to generate revenue from advertisers • Wealth of information available for criminals to hijack identities Password reset • Need to know login email • Try to reset password and set new email by selecting 'no longer access to old email‘ • Educated guess on security question
Case: Mat Honan • Google account taken over and deleted • Twitter account compromised and used to broadcast racist and homophobic messages • AppleID account compromised and used to remotely erase all data from his iPhone, iPad and MacBook • Hackers exploited Apple and Amazon security flaws • Resources: • http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/
Components of security • Change management – responding to changes • Network monitoring – Risk analysis metric • Preach of confidentiality – Action taken? – case study: Finland .. • Approving security changes – Updates, new software, changes in information ownership • Firewall • First line of defense – Turtle defense | Active attack • Port blocking – Ip address range – Traffic source to destination – authentication • Proxy • Second line of defense • Logging – Gather access information – Hide existence. • NAT – Masquerade IP translation – Hide critical resources.
Protecting against threats • Conduct a risk analyses – Level of security • Low risk (studies, website data, etc) • Medium risk (Corporate networks containing business & personnel related information combined - ERP) • High risk (Sources for classified information - Finland foreign ministry) • Categorize people involved • Administrator – People responsible - Owner • Privileged – Internal users with greater access – Sys admin • User – Access to resources - Employee • Partners – External people with access - Consultant • Others – Customer • Cross Functional security team • System admin – Person responsible from security updates, access, etc. • Hacker – Someone to understand network security. • Policy handler – Someone to blame if things go wrong.
Case: Finland says government's data network hit by severe hacking • WWW.formin.fi IP lookup 213.214.146.178 / 213.214.128.0/18 • Owner: Fujitsu Finland Oy, Petri Salonen, Malminkartanonkuja 4, 00390, Helsinki. • Targetid communication between Finland & EU Officials • Finland Foreign ministry ErkkiTuomioja: “We have no evidence to make public and unequivocal allegations against anybody,”. • Published by Mtv3 news at 31.10.2013 • Detected in early spring (2013) • APT (Advanced Persistent Threat) attack • References (Reuters & Wall Street Journal • http://www.reuters.com/article/2013/10/31/net-us-finland-hacking-idUSBRE99U0ZL20131031 • http://online.wsj.com/news/articles/SB10001424052702303843104579169831405170534
Conclusions • The concept of hacking is expanding fast • It is currently practiced in all layers of society • The goal of hacking might not be to harm – aspects of: • Monitoring • Information gathering • Hacking computers into slaves • Hostile takeover • APT
Resources • http://www.youtube.com/watch?feature=player_embedded&v=EpG661S9u9A • http://www.reuters.com/article/2013/10/31/net-us-finland-hacking-idUSBRE99U0ZL20131031 • http://online.wsj.com/news/articles/SB10001424052702303843104579169831405170534 • http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/ • http://stackoverflow.com/questions/3762746/todays-xss-onmouseover-exploit-on-twitter-com • http://searchsecurity.techtarget.com/definition/advanced-persistent-threat-APT • http://qz.com/71813/malware-turns-hacked-computers-into-slaves-that-mine-new-digital-currency/