Perimeter
8/5/2010
03:03 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Data Visualization For Faster, More Effective Pen Testing

"Social Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage" was the last discussion I attended at Defcon. It was a fun talk that demonstrated interesting applications from visualization tools, like Maltego and Google Maps, to track information available through Twitter and Facebook.

"Social Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage" was the last discussion I attended at Defcon. It was a fun talk that demonstrated interesting applications from visualization tools, like Maltego and Google Maps, to track information available through Twitter and Facebook.The talk was given by Chris Sumner (a.k.a. The Suggmeister), offering some history on social network analysis dating back to the usage of sociograms by Jacob Moreno in 1933. The Suggmeister became involved with the Tony Hawk Twitter Hunt (THTH) to hide Tony Hawk skateboards and provide clues via Twitter to help find the boards. Out of his desire to visualize the THTH data, this whitepaper (PDF) and presentation (PDF) were born.

The first tool that Chris focused on was Maltego. I've mentioned Maltego for gathering information about a penetration-testing target, and Chris demonstrated some ways he was able to extend the tool with custom scripts. The scripts gather information using the Twitter API and feed it into Maltego via its "local transform" functionality. The local transforms provide users with the ability to include additional information sources not already available in Maltego. His resulting graphs showed correlations between the users following certain Twitter accounts and using hashtags associated with Tony Hawk.

Chris admitted his resulting graph wasn't as good as others doing similar research, but his work certainly serves as a good example of what can be done. For example, if you were collecting information about a particular company, then you could start with finding a few employees, map their relationships in Twitter to see who they talk to the most, and eventually gather enough information about other employees who haven't openly broadcast they work at the same place. From there, you could pull together bits and pieces to social engineer your way into the company.

Chris then detailed some of his research into a 419 Nigerian scam through which a friend of his had lost a laptop. He was able to gather information through Facebook by friending users who were located in Nigeria. His research revealed numerous brazen scammers who were flaunting their activities on Facebook. In fact, he got pretty far with identifying individuals involved in the scam until it became apparent that going all the way could be danger. As the slide said in his presentation: "Health Warning: Messing With Criminals Can Reduce Your Life Expectancy."

So much can be done through data visualization tools, like Maltego, and some of the other Chris mentioned, like Processing, Prefuse, Afterglow, and DAVIX. The key is realizing that the data is out there and available, often through a special API like the one Chris used from Twitter. Just be sure what you're doing doesn't violate the terms of service, which he discussed with some similar research someone was doing through Facebook.

In addition to the presentation, Chris also ran the Defcon Twitter Hunt Contest, in which he hid custom Defcon skateboard decks around the conference area. His Twitter followers had to solve the clues to score one of the amazing decks. After solving a trivia question and figuring out the clue on Sunday, I scored an awesome signed Tony Hawk deck just before Chris' presentation!

Keep an eye on SecurityG33k.com for more research from Chris and a link to the video when it becomes available.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4692
Published: 2015-07-27
The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.

CVE-2015-1840
Published: 2015-07-26
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space cha...

CVE-2015-1872
Published: 2015-07-26
The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via craft...

CVE-2015-2847
Published: 2015-07-26
Honeywell Tuxedo Touch before 5.2.19.0_VA relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream.

CVE-2015-2848
Published: 2015-07-26
Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo Touch before 5.2.19.0_VA allows remote attackers to hijack the authentication of arbitrary users for requests associated with home-automation commands, as demonstrated by a door-unlock command.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!