Satan is on my Friends list: Attacking Social Networks

Presented at DEF CON 16 (2008), Aug. 8, 2008, 2 p.m. (50 minutes).

Social Networking is shaping up to be the perfect storm... An implicit trust of those in one's network or social circle, a willingness to share information, little or no validation of identity, the ability to run arbitrary code (in the case of user-created apps) with minimal review, and a tag soup of client-side user-generated HTML (Hello? MySpace? 1998 called. It wants its markup vulns back). Yikes. But enough about pwning the kid from homeroom who copied your calc homework. With the rise of business social networking sites, there are now thousands of public profiles with real names and titles of people working for major banks, the defense and aerospace industry, federal agencies, the US Senate... A target-rich and trusting environment for custom-tailored, laser-focused attacks. Our talk will show the results of a series of public experiments aimed at pointing out the security and privacy ramifications of everyone's increasingly open, increasingly connected online personae and the interesting new attack vectors they've created. Plus, we get to have some fun violating scads of EULAs, AUPs, and Terms of Service along the way. K. THX FOR THE ADD!!1! YOU RAWK.

Presenters:

  • Nathan Hamiel - Senior Consultant, Idea Information Security
    Nathan Hamiel is a Senior Consultant for Idea Information Security and the founder of the Hexagon Security Group. He is also an Associate Professor at the University of Advancing Technology. Nathan has previously presented at numerous other conferences including DefCon, Shmoocon, Toorcon, and HOPE. Nathan spent much of DefCon 15 without shoes and is planning ahead this year with a defense-in-depth approach that includes failover footwear. He has 1,936 people in his extended network, and finds that disturbing on a number of levels.
  • Shawn Moyer - CTO, Agura Digital Security
    Shawn Moyer is CISO of Agura Digital Security, a web and network security consultancy. He has led security projects for major multinational corporations and the federal government, written for Information Security magazine, and spoken previously at BH and other conferences. Shawn is currently working on a slash frantic adaptation of 2001:A Space Odyssey, told from the perspective of Hal9000. He only accepts friend requests on Facebook if they include a DNA sample and a scanned copy of a valid driver's license or passport.

Links:

Similar Presentations: