Hacking Andrei, Arto, Esko, Markus

What kind of threats/attacks there exist in social media? – Emphases on cross site scripting

Possibilities and drawbacks of Web 2.0 technologies

How can you protect against these threats?

Common Social Networking Security Threats

Cross-site scripting (XSS) • Enables attackers to inject client-side script into Web pages • Uses known vulnerabilities in web-based applications, their servers, or

plug-in systems • Persistent/Non-persistent • Self-XSS: tries to trick user into cutting and pasting a malicious code into

browser address bar CSRF/XSR Cross site request forgery • The attack works by including a link or script in a page that accesses a

site to which the user is known to have been authenticated. • Involve sites that rely on a user's identity • Exploit the site's trust in that identity • Trick the user's browser into sending HTTP requests to a target site • Involve HTTP requests that have side effects

In practice – Cross site scripting ”OnMouseOver” – Twitter Moving mouse-over text or image

launches pop-up redirect into third-party websites

Thousands of Twitter accounts have posted messages exploiting the flaw. Victims include Sarah Brown, wife of the former British Prime Minister.

“Rainbow tweet” loophole to create tweet that is a

blocks of color -> “Rainbow tweet”

Blacked out messages hide the true content of the tweets. It was designed to invite clicks or mouse-over actions by readers.

Implementations of XSS (cross site scripting)

• The vulnerability is because URLs were not being parsed properly. For example, the following URL is posted to Twitter:

<a href="http://thisisatest.com/@"onmouseover="alert('test xss')"rel/" target="_blank" =""> http://thisisatest.com/@"onmouseover="alert('test xss')"/ </a></span>

You can see that by putting in the URL and the trailing slash, Twitter

thinks it has a valid URL even though it contains a quote mark in it

which allows it to escape (ie. terminate the href attribute, for the

pedants out there) the URL attribute and include a mouse over. You

can write anything to the page, including closing the link and

including a script element. Also, you are not limited by the 140

character limit because you can use $.getScript().

Case: Technical details of XSS

Fix • In detail, the offending regex was:

REGEXEN[:valid_url_path_chars] = /(?: #{REGEXEN[:wikipedia_disambiguation]}| @[^\/]+\/| [\.\,]?#{REGEXEN[:valid_general_url_path_chars]} )/ix

• The @[^\/]+\/ part allowed any character (except a forward

slash) when it was prefixed by an @ sign and suffixed by a

forward slash.

• @#{REGEXEN[:valid_general_url_path_chars]}+\/ it

now only allows valid URL characters.

"http://www.guardian.co.uk/technology is the best!"

When you view the Twitter web page, that becomes a link, like so:

<a href="http://www.guardian.co.uk/technology" class="tweet-url web" rel="nofollow">http://www.guardian.co.uk/technology</a> is the best!

The exploit attacked that link-making function. The raw text of the

exploit tweet would read something like this:

http://a.no/@";onmouseover=";$('textarea:first').val(this.innerHTML); $('.status-update-form').submit();"class="modal-overlay"/

The exploit was a classic piece of Javascript injection. Suppose you

write a tweet with the following text:

Which Twitter didn't protect properly, probably because the @"

character combination broke their [HTML] parser. That link

would generate the following page source:

<a href="http://a.no/@"; onmouseover="; $('textarea:first').val(this.innerHTML); $('.status-update-form').submit(); "class="modal-overlay"/ class="tweet-url web" rel="nofollow">

http://stackoverflow.com/questions/3762746/todays-xss-onmouseover-exploit-on-twitter-com

Session hijacking / stealing cookies

• Exploitation of a valid computer session to gain unauthorized access to information or services

• Theft of a cookie used to authenticate a user to a remote server

• Session fixation: attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id

• Session sidejacking: attacker uses packet sniffing to read network traffic between two parties to steal the session cookie - Wireshark

• XSS: attacker tricks the user's computer into running code which is treated as trustworthy

Technical aspect - Hacking 1:1

Keylogger • A program that can record each stroke on the keyboard that the user

makes. • The software can send a summary of recorded keystrokes to a malicious

party • Distributed as a trojan horse or as part of a virus • Expose login details etc • Hardware keyloggers

Clickjacking • Tricks user into clicking something different than what the user thinks he

is clicking • Embedded code or a script that can execute without users knowledge. • Clickjacked page might have an invisible button or other interface

element on top of the original page as a transparent layer and when the user thinks he is clicking a button on the original page he is actually clicking the malicious element.

• User might end up revealing confidential information

Technical aspect - Hacking 1:1(2)

Code injection • Exploits a bug, design flaw or vulnerability • Goal is privilege escalation aka to gain elevated access to resources

that are normally protected from an application or user • SQL injection: malicious SQL statements are inserted into an entry

field for execution • Install malware on a computer by exploiting code injection

vulnerabilities or by PHP or ASP injection

Social engineering • Manipulating people into performing actions or divulging

confidential information • Exploiting cognitive biases

Technical aspect - Hacking 1:1(3)

Phishing • Obtaining private information fraudulently • Typically an email with a link to a fraudulent web page disguised as a legimate

message from a well known service like a bank or a credit card company. • Email often requests "verification" of information and warning of some dire

consequence if it is not provided

Identity theft • Social media sites reveal and encourage users to divulge as much personal

information as possible to generate revenue from advertisers • Wealth of information available for criminals to hijack identities

Password reset • Need to know login email • Try to reset password and set new email by selecting 'no longer access to old

email‘ • Educated guess on security question

Case: Mat Honan

• Google account taken over and deleted

• Twitter account compromised and used to broadcast racist and homophobic messages

• AppleID account compromised and used to remotely erase all data from his iPhone, iPad and MacBook

• Hackers exploited Apple and Amazon security flaws

• Resources:

– http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

Components of security

• Change management – responding to changes – Network monitoring – Risk analysis metric – Preach of confidentiality – Action taken? – case study: Finland .. – Approving security changes – Updates, new software, changes

in information ownership

• Firewall – First line of defense – Turtle defense | Active attack – Port blocking – Ip address range – Traffic source to destination –

authentication

• Proxy – Second line of defense – Logging – Gather access information – Hide existence. – NAT – Masquerade IP translation – Hide critical resources.

Protecting against threats

• Conduct a risk analyses – Level of security – Low risk (studies, website data, etc) – Medium risk (Corporate networks containing business & personnel

related information combined - ERP) – High risk (Sources for classified information - Finland foreign ministry)

• Categorize people involved – Administrator – People responsible - Owner – Privileged – Internal users with greater access – Sys admin – User – Access to resources - Employee – Partners – External people with access - Consultant – Others – Customer

• Cross Functional security team – System admin – Person responsible from security updates, access, etc. – Hacker – Someone to understand network security. – Policy handler – Someone to blame if things go wrong.

Case: Finland says government's data network hit by severe hacking

• WWW.formin.fi IP lookup 213.214.146.178 / 213.214.128.0/18 • Owner: Fujitsu Finland Oy, Petri Salonen, Malminkartanonkuja 4,

00390, Helsinki. • Targetid communication between Finland & EU Officials • Finland Foreign ministry Erkki Tuomioja: “We have no evidence to

make public and unequivocal allegations against anybody,”. • Published by Mtv3 news at 31.10.2013 • Detected in early spring (2013) • APT (Advanced Persistent Threat) attack • References (Reuters & Wall Street Journal

– http://www.reuters.com/article/2013/10/31/net-us-finland-hacking-idUSBRE99U0ZL20131031

– http://online.wsj.com/news/articles/SB10001424052702303843104579169831405170534

Conclusions

• The concept of hacking is expanding fast

• It is currently practiced in all layers of society

• The goal of hacking might not be to harm – aspects of: – Monitoring

– Information gathering

– Hacking computers into slaves • Hostile takeover

• APT

Resources

• http://www.youtube.com/watch?feature=player_embedded&v=EpG661S

9u9A • http://www.reuters.com/article/2013/10/31/net-us-finland-hacking-

idUSBRE99U0ZL20131031 • http://online.wsj.com/news/articles/SB1000142405270230384310457916

9831405170534 • http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-

hacking/all/ • http://stackoverflow.com/questions/3762746/todays-xss-onmouseover-

exploit-on-twitter-com • http://searchsecurity.techtarget.com/definition/advanced-persistent-

threat-APT • http://qz.com/71813/malware-turns-hacked-computers-into-slaves-that-

mine-new-digital-currency/