Perimeter
8/5/2010
03:03 PM
John H. Sawyer
John H. Sawyer
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Data Visualization For Faster, More Effective Pen Testing

"Social Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage" was the last discussion I attended at Defcon. It was a fun talk that demonstrated interesting applications from visualization tools, like Maltego and Google Maps, to track information available through Twitter and Facebook.

"Social Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage" was the last discussion I attended at Defcon. It was a fun talk that demonstrated interesting applications from visualization tools, like Maltego and Google Maps, to track information available through Twitter and Facebook.The talk was given by Chris Sumner (a.k.a. The Suggmeister), offering some history on social network analysis dating back to the usage of sociograms by Jacob Moreno in 1933. The Suggmeister became involved with the Tony Hawk Twitter Hunt (THTH) to hide Tony Hawk skateboards and provide clues via Twitter to help find the boards. Out of his desire to visualize the THTH data, this whitepaper (PDF) and presentation (PDF) were born.

The first tool that Chris focused on was Maltego. I've mentioned Maltego for gathering information about a penetration-testing target, and Chris demonstrated some ways he was able to extend the tool with custom scripts. The scripts gather information using the Twitter API and feed it into Maltego via its "local transform" functionality. The local transforms provide users with the ability to include additional information sources not already available in Maltego. His resulting graphs showed correlations between the users following certain Twitter accounts and using hashtags associated with Tony Hawk.

Chris admitted his resulting graph wasn't as good as others doing similar research, but his work certainly serves as a good example of what can be done. For example, if you were collecting information about a particular company, then you could start with finding a few employees, map their relationships in Twitter to see who they talk to the most, and eventually gather enough information about other employees who haven't openly broadcast they work at the same place. From there, you could pull together bits and pieces to social engineer your way into the company.

Chris then detailed some of his research into a 419 Nigerian scam through which a friend of his had lost a laptop. He was able to gather information through Facebook by friending users who were located in Nigeria. His research revealed numerous brazen scammers who were flaunting their activities on Facebook. In fact, he got pretty far with identifying individuals involved in the scam until it became apparent that going all the way could be danger. As the slide said in his presentation: "Health Warning: Messing With Criminals Can Reduce Your Life Expectancy."

So much can be done through data visualization tools, like Maltego, and some of the other Chris mentioned, like Processing, Prefuse, Afterglow, and DAVIX. The key is realizing that the data is out there and available, often through a special API like the one Chris used from Twitter. Just be sure what you're doing doesn't violate the terms of service, which he discussed with some similar research someone was doing through Facebook.

In addition to the presentation, Chris also ran the Defcon Twitter Hunt Contest, in which he hid custom Defcon skateboard decks around the conference area. His Twitter followers had to solve the clues to score one of the amazing decks. After solving a trivia question and figuring out the clue on Sunday, I scored an awesome signed Tony Hawk deck just before Chris' presentation!

Keep an eye on SecurityG33k.com for more research from Chris and a link to the video when it becomes available.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio