Enable HTTPS on Facebook!

Posted: June 7th, 2011 | Author: | Filed under: fitm, personal, random, security | Tags: , , , , , , , , , , , , , , , | No Comments »

A couple of month passed since Facebook introduced full SSL support. This optional feature lets you browse Facebook via a secure connection (https) whenever possible. Facebook via https is now available to all users and why are so few people using it? I suppose because the option is disabled per default. -> Enable this option!

SOPHOS How-To enable the Facebook HTTPS option.
They also provide a video How-To:

Using Facebook without a secure communication puts your account data at high risk. First Firesheep and now Faceniff offer script-kiddie tools to hijack Facebook accounts over wireless. Research we conducted shows that unencrypted Facebook sessions are low-hanging fruits for large scale spam attacks. We published our first findings in 2010 (technical report), a revised version has been published in the current issue of IEEE’s Internet Computing.

Friend-in-the-middle (FiTM) attacks

In our article we present friend-in-the-middle attacks that extract social networking data in an automated fashion. The harvesting of data is possible because people do not use a secure connection with Facebook. We show that the extracted social data can be exploited for large-scale context-aware spam and social-phishing attacks. Our attack simulations on Facebook showed that an attacker could easily spam a high number of users with context-aware spam (e.g. spam that appears to be coming from a friend) in a short period of time (Over 300,000 spammed users with 4,000 uncrypted Facebook sessions we observed over two weeks).

Download the preprint: FITM_InternetComputing_preprint.pdf

More information on Friend-in-the-Middle Attacks can be also found here: http://www.sba-research.org/2011/02/02/ieee-internet-computing-special-issue-on-security-and-privacy-in-social-networks/
http://fitm.nysos.net


Towards Automating Social Engineering Using Social Networking Sites (Preprint)

Posted: July 6th, 2009 | Author: | Filed under: ASE, PASSAT-09, research, security | Tags: , , , , , , , , , , , , , , , , , , | No Comments »

I made the preprint version of my publication on “Towards Automating Social Engineering Using Social Networking Sites” available online. You can fetch the pdf from here: http://asebot.nysos.net. As I said before I will present this work at this year’s PASSAT in Vancouver.

Abstract—A growing number of people use social networking sites to foster social relationships among each other. While the advantages of the provided services are obvious, drawbacks on a users’ privacy and arising implications are often neglected. In this paper we introduce a novel attack called automated social engineering which illustrates how social networking sites can be used for social engineering. Our approach takes classical social engineering one step further by automating tasks which formerly were very time-intensive. In order to evaluate our proposed attack cycle and our prototypical implementation (ASE bot), we conducted two experiments. Within the first experiment we examine the information gathering capabilities of our bot. The second evaluation of our prototype performs a Turing test. The promising results of the evaluation highlight the possibility to efficiently and effectively perform social engineering attacks by applying automated social engineering bots.


Automated Social Engineering Bot – PASSAT 2009

Posted: June 13th, 2009 | Author: | Filed under: ASE, random, security | Tags: , , , , , , , , , , , , , , , , , , | No Comments »

I got a paper on my Automated Social Engineering Bot accepted at the PASSAT 2009 conference. I’ll post the camery-ready version soon. 🙂


An end is in sight …

Posted: February 27th, 2009 | Author: | Filed under: ASE, random, security | Tags: , , , , , , , , , , , , | No Comments »

I’m writing the last pages of my master’s thesis on Automated Social Engineering and should present my work soon. Once it’s done I’m also planning to post a digitial version online on my blog.