Perimeter

8/5/2010
03:03 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Data Visualization For Faster, More Effective Pen Testing

"Social Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage" was the last discussion I attended at Defcon. It was a fun talk that demonstrated interesting applications from visualization tools, like Maltego and Google Maps, to track information available through Twitter and Facebook.

"Social Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage" was the last discussion I attended at Defcon. It was a fun talk that demonstrated interesting applications from visualization tools, like Maltego and Google Maps, to track information available through Twitter and Facebook.The talk was given by Chris Sumner (a.k.a. The Suggmeister), offering some history on social network analysis dating back to the usage of sociograms by Jacob Moreno in 1933. The Suggmeister became involved with the Tony Hawk Twitter Hunt (THTH) to hide Tony Hawk skateboards and provide clues via Twitter to help find the boards. Out of his desire to visualize the THTH data, this whitepaper (PDF) and presentation (PDF) were born.

The first tool that Chris focused on was Maltego. I've mentioned Maltego for gathering information about a penetration-testing target, and Chris demonstrated some ways he was able to extend the tool with custom scripts. The scripts gather information using the Twitter API and feed it into Maltego via its "local transform" functionality. The local transforms provide users with the ability to include additional information sources not already available in Maltego. His resulting graphs showed correlations between the users following certain Twitter accounts and using hashtags associated with Tony Hawk.

Chris admitted his resulting graph wasn't as good as others doing similar research, but his work certainly serves as a good example of what can be done. For example, if you were collecting information about a particular company, then you could start with finding a few employees, map their relationships in Twitter to see who they talk to the most, and eventually gather enough information about other employees who haven't openly broadcast they work at the same place. From there, you could pull together bits and pieces to social engineer your way into the company.

Chris then detailed some of his research into a 419 Nigerian scam through which a friend of his had lost a laptop. He was able to gather information through Facebook by friending users who were located in Nigeria. His research revealed numerous brazen scammers who were flaunting their activities on Facebook. In fact, he got pretty far with identifying individuals involved in the scam until it became apparent that going all the way could be danger. As the slide said in his presentation: "Health Warning: Messing With Criminals Can Reduce Your Life Expectancy."

So much can be done through data visualization tools, like Maltego, and some of the other Chris mentioned, like Processing, Prefuse, Afterglow, and DAVIX. The key is realizing that the data is out there and available, often through a special API like the one Chris used from Twitter. Just be sure what you're doing doesn't violate the terms of service, which he discussed with some similar research someone was doing through Facebook.

In addition to the presentation, Chris also ran the Defcon Twitter Hunt Contest, in which he hid custom Defcon skateboard decks around the conference area. His Twitter followers had to solve the clues to score one of the amazing decks. After solving a trivia question and figuring out the clue on Sunday, I scored an awesome signed Tony Hawk deck just before Chris' presentation!

Keep an eye on SecurityG33k.com for more research from Chris and a link to the video when it becomes available.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Fixes 11 Critical, 39 Important Vulns
Kelly Sheridan, Staff Editor, Dark Reading,  6/12/2018
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12580
PUBLISHED: 2018-06-19
library/DBTech/Security/Action/Sessions.php in DragonByte vBSecurity 3.x through 3.3.0 for vBulletin 3 and vBulletin 4 allows self-XSS via $session['user_agent'] in the "Login Sessions" feature.
CVE-2018-12578
PUBLISHED: 2018-06-19
There is a heap-based buffer overflow in bmp_compress1_row in appliers.cpp in sam2p 0.49.4 that leads to a denial of service or possibly unspecified other impact.
CVE-2018-1061
PUBLISHED: 2018-06-19
python before versions 2.7.15, 3.4.9, 3.5.6 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.
CVE-2018-1073
PUBLISHED: 2018-06-19
The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.
CVE-2018-12557
PUBLISHED: 2018-06-19
An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could ...