Perimeter
8/5/2010
03:03 PM
John H. Sawyer
John H. Sawyer
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Data Visualization For Faster, More Effective Pen Testing

"Social Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage" was the last discussion I attended at Defcon. It was a fun talk that demonstrated interesting applications from visualization tools, like Maltego and Google Maps, to track information available through Twitter and Facebook.

"Social Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage" was the last discussion I attended at Defcon. It was a fun talk that demonstrated interesting applications from visualization tools, like Maltego and Google Maps, to track information available through Twitter and Facebook.The talk was given by Chris Sumner (a.k.a. The Suggmeister), offering some history on social network analysis dating back to the usage of sociograms by Jacob Moreno in 1933. The Suggmeister became involved with the Tony Hawk Twitter Hunt (THTH) to hide Tony Hawk skateboards and provide clues via Twitter to help find the boards. Out of his desire to visualize the THTH data, this whitepaper (PDF) and presentation (PDF) were born.

The first tool that Chris focused on was Maltego. I've mentioned Maltego for gathering information about a penetration-testing target, and Chris demonstrated some ways he was able to extend the tool with custom scripts. The scripts gather information using the Twitter API and feed it into Maltego via its "local transform" functionality. The local transforms provide users with the ability to include additional information sources not already available in Maltego. His resulting graphs showed correlations between the users following certain Twitter accounts and using hashtags associated with Tony Hawk.

Chris admitted his resulting graph wasn't as good as others doing similar research, but his work certainly serves as a good example of what can be done. For example, if you were collecting information about a particular company, then you could start with finding a few employees, map their relationships in Twitter to see who they talk to the most, and eventually gather enough information about other employees who haven't openly broadcast they work at the same place. From there, you could pull together bits and pieces to social engineer your way into the company.

Chris then detailed some of his research into a 419 Nigerian scam through which a friend of his had lost a laptop. He was able to gather information through Facebook by friending users who were located in Nigeria. His research revealed numerous brazen scammers who were flaunting their activities on Facebook. In fact, he got pretty far with identifying individuals involved in the scam until it became apparent that going all the way could be danger. As the slide said in his presentation: "Health Warning: Messing With Criminals Can Reduce Your Life Expectancy."

So much can be done through data visualization tools, like Maltego, and some of the other Chris mentioned, like Processing, Prefuse, Afterglow, and DAVIX. The key is realizing that the data is out there and available, often through a special API like the one Chris used from Twitter. Just be sure what you're doing doesn't violate the terms of service, which he discussed with some similar research someone was doing through Facebook.

In addition to the presentation, Chris also ran the Defcon Twitter Hunt Contest, in which he hid custom Defcon skateboard decks around the conference area. His Twitter followers had to solve the clues to score one of the amazing decks. After solving a trivia question and figuring out the clue on Sunday, I scored an awesome signed Tony Hawk deck just before Chris' presentation!

Keep an eye on SecurityG33k.com for more research from Chris and a link to the video when it becomes available.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7877
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.