Enable HTTPS on Facebook!

Posted: June 7th, 2011 | Author: | Filed under: fitm, personal, random, security | Tags: , , , , , , , , , , , , , , , | No Comments »

A couple of month passed since Facebook introduced full SSL support. This optional feature lets you browse Facebook via a secure connection (https) whenever possible. Facebook via https is now available to all users and why are so few people using it? I suppose because the option is disabled per default. -> Enable this option!

SOPHOS How-To enable the Facebook HTTPS option.
They also provide a video How-To:

Using Facebook without a secure communication puts your account data at high risk. First Firesheep and now Faceniff offer script-kiddie tools to hijack Facebook accounts over wireless. Research we conducted shows that unencrypted Facebook sessions are low-hanging fruits for large scale spam attacks. We published our first findings in 2010 (technical report), a revised version has been published in the current issue of IEEE’s Internet Computing.

Friend-in-the-middle (FiTM) attacks

In our article we present friend-in-the-middle attacks that extract social networking data in an automated fashion. The harvesting of data is possible because people do not use a secure connection with Facebook. We show that the extracted social data can be exploited for large-scale context-aware spam and social-phishing attacks. Our attack simulations on Facebook showed that an attacker could easily spam a high number of users with context-aware spam (e.g. spam that appears to be coming from a friend) in a short period of time (Over 300,000 spammed users with 4,000 uncrypted Facebook sessions we observed over two weeks).

Download the preprint: FITM_InternetComputing_preprint.pdf

More information on Friend-in-the-Middle Attacks can be also found here: http://www.sba-research.org/2011/02/02/ieee-internet-computing-special-issue-on-security-and-privacy-in-social-networks/
http://fitm.nysos.net


Who On Earth Is ”Mr. Cypher“: Automated Friend Injection Attacks on Social Networking Sites

Posted: June 14th, 2010 | Author: | Filed under: research, security | Tags: , , , , , , | No Comments »

Abstract. Within this paper we present our novel friend injection attack which exploits the fact that the great majority of social networking sites fail to protect the communication between its users and their services. In a practical evaluation, on the basis of public wireless access points, we furthermore demonstrate the feasibility of our attack. The friend injection attack enables a stealth infiltration of social networks and thus outlines the devastating consequences of active eavesdropping attacks against social networking sites.

Preprint

http://friendinjection.nysos.net


Tor HTTP usage and Information Leakage

Posted: May 14th, 2010 | Author: | Filed under: research, security, tor | Tags: , , , , , , | No Comments »

Abstract- This paper analyzes the web browsing behaviour of Tor users. By collecting HTTP requests we show which websites are of interest to Tor users and we determined an upper bound on how vulnerable Tor users are to sophisticated de-anonymization attacks: up to 78 % of the Tor users do not use Tor as suggested by the Tor community, namely to browse the web with TorButton. They could thus fall victim to de-anonymization attacks by merely browsing the web. Around 1 % of the requests could be used by an adversary for exploit piggybacking on vulnerable file formats. Another 7 % of all requests were generated by social networking sites which leak plenty of sensitive and identifying information. Due to the design of HTTP and Tor, we argue that HTTPS is currently the only effective countermeasure against de-anonymization and information leakage for HTTP over Tor.

Get the preprint here: http://torhttp.nysos.net


Towards Automating Social Engineering Using Social Networking Sites (Preprint)

Posted: July 6th, 2009 | Author: | Filed under: ASE, PASSAT-09, research, security | Tags: , , , , , , , , , , , , , , , , , , | No Comments »

I made the preprint version of my publication on “Towards Automating Social Engineering Using Social Networking Sites” available online. You can fetch the pdf from here: http://asebot.nysos.net. As I said before I will present this work at this year’s PASSAT in Vancouver.

Abstract—A growing number of people use social networking sites to foster social relationships among each other. While the advantages of the provided services are obvious, drawbacks on a users’ privacy and arising implications are often neglected. In this paper we introduce a novel attack called automated social engineering which illustrates how social networking sites can be used for social engineering. Our approach takes classical social engineering one step further by automating tasks which formerly were very time-intensive. In order to evaluate our proposed attack cycle and our prototypical implementation (ASE bot), we conducted two experiments. Within the first experiment we examine the information gathering capabilities of our bot. The second evaluation of our prototype performs a Turing test. The promising results of the evaluation highlight the possibility to efficiently and effectively perform social engineering attacks by applying automated social engineering bots.