Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/5/2010
03:03 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Data Visualization For Faster, More Effective Pen Testing

"Social Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage" was the last discussion I attended at Defcon. It was a fun talk that demonstrated interesting applications from visualization tools, like Maltego and Google Maps, to track information available through Twitter and Facebook.

"Social Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage" was the last discussion I attended at Defcon. It was a fun talk that demonstrated interesting applications from visualization tools, like Maltego and Google Maps, to track information available through Twitter and Facebook.The talk was given by Chris Sumner (a.k.a. The Suggmeister), offering some history on social network analysis dating back to the usage of sociograms by Jacob Moreno in 1933. The Suggmeister became involved with the Tony Hawk Twitter Hunt (THTH) to hide Tony Hawk skateboards and provide clues via Twitter to help find the boards. Out of his desire to visualize the THTH data, this whitepaper (PDF) and presentation (PDF) were born.

The first tool that Chris focused on was Maltego. I've mentioned Maltego for gathering information about a penetration-testing target, and Chris demonstrated some ways he was able to extend the tool with custom scripts. The scripts gather information using the Twitter API and feed it into Maltego via its "local transform" functionality. The local transforms provide users with the ability to include additional information sources not already available in Maltego. His resulting graphs showed correlations between the users following certain Twitter accounts and using hashtags associated with Tony Hawk.

Chris admitted his resulting graph wasn't as good as others doing similar research, but his work certainly serves as a good example of what can be done. For example, if you were collecting information about a particular company, then you could start with finding a few employees, map their relationships in Twitter to see who they talk to the most, and eventually gather enough information about other employees who haven't openly broadcast they work at the same place. From there, you could pull together bits and pieces to social engineer your way into the company.

Chris then detailed some of his research into a 419 Nigerian scam through which a friend of his had lost a laptop. He was able to gather information through Facebook by friending users who were located in Nigeria. His research revealed numerous brazen scammers who were flaunting their activities on Facebook. In fact, he got pretty far with identifying individuals involved in the scam until it became apparent that going all the way could be danger. As the slide said in his presentation: "Health Warning: Messing With Criminals Can Reduce Your Life Expectancy."

So much can be done through data visualization tools, like Maltego, and some of the other Chris mentioned, like Processing, Prefuse, Afterglow, and DAVIX. The key is realizing that the data is out there and available, often through a special API like the one Chris used from Twitter. Just be sure what you're doing doesn't violate the terms of service, which he discussed with some similar research someone was doing through Facebook.

In addition to the presentation, Chris also ran the Defcon Twitter Hunt Contest, in which he hid custom Defcon skateboard decks around the conference area. His Twitter followers had to solve the clues to score one of the amazing decks. After solving a trivia question and figuring out the clue on Sunday, I scored an awesome signed Tony Hawk deck just before Chris' presentation!

Keep an eye on SecurityG33k.com for more research from Chris and a link to the video when it becomes available.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...