Social Media Deception | Lakhani, Muniz (RSA Europe)

Aamir Lakhani, Joseph Muniz; Social Media Deception; At RSA Europe; 2013-10-30; , Session: landing; 28 slides.

Aamir Lakhani

Joseph Muniz


  • Emily Williams
    • Patterned after Robin Sage
  • Men trust Attractive Women
  • Click Jacking

Parting References

  • Hot, Warm, Cold Data Threats
  • Trending & Predictive Analysis
  • Kill Chain
    • concept
    • a metaphor riffing on the military doctrine



Lucian Constantin (IDG News); Fake social media ID duped security-aware IT guys; In IT World; 2013-10-31.
Teaser: Penetration testers used a faked woman’s identity on social networks to break into a government agency with strong cybersecurity defenses

Via: backfill

RFC 5746 and CVE-2009-3555 in SSL/TLS session renegotiation


Problem Definition

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a “plaintext injection” attack, aka the “Project Mogul” issue.


  • Microsoft Internet Information Services (IIS) 7.0.
  • mod_ssl in the Apache HTTP Server 2.2.14 and earlier.
  • OpenSSL before 0.9.8l.
  • GnuTLS 2.8.5 and earlier.
  • Mozilla Network Security Services (NSS) 3.12.4 and earlier.
  • Cisco products.
  • Other products.


  • CVE-2009-3555, at MITRE
  • CVE-2009-3555, at National Vulnerability Database
  • RFC 5746 Transport Layer Security (TLS) Renegotiation Indication Extension; IETF; E Rescorla (RTFM), M. Ray, S. Dispensa (PhoneFactor), N. Oskov (Microsoft); 2010-02.

On the Security of RC4 in TLS and WPA | AlFardan, Bernstein, Patterson, Poettering, Schuldt

Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt; On the Security of RC4 in TLS and WPA; At Their Shop; 2013-03-13, updated 2013-07-08.


  • Single-byte bias attack on TLS.
  • To be presented at USENIX Security 2013, Washington DC, USA, 2013-08-14.
  • Claims <quote>
    • The most effective countermeasure against our attack is to stop using RC4 in TLS. [there are other countermeasures]
    • One of the attacks also applies to WPA/TKIP, the IEEE’s successor protocol to WEP. The most effective countermeasure against our attack against WPA/TKIP is to stop using WPA/TKIP and upgrade to WPA2.


  • Nadhem J. AlFardhan, Daniel J. Bernstein, Kenneth G. Paterson, Bertram Poettering, Jacob C. N. Schuldt; On the Security of RC4 in TLS and WPA; In Proceedings of the USENIX Security Symposium 2013; 2013-07-08; 31 pages.
    Data & Evidence

  • CVE-2013-2566; National Vulnerability Database, National Institute of Standards & Technology, U.S.

    • Description: The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
    • Overview: The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.


Via: backfill.

Vulnerability Note VU#922681 Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP

Via HD Moore (Rapid7); Security Flaws in Universal Plug and Play: Unplug, Don’t Play; Their Blog; 2013-01-29.


Scanning Tools

  • ScanNow UPnP for Windows
  • Rapid7 UPnP Check for “broadband and mobile”
  • Metasploit (Mac & Linux)
    • Modules tab
    • Search for ssdp_msearch
    • Find UPnP SSDP M-SEARCH Information Discovery
    • Enter network range
  • nmap
    • nmap -p 1900 -T4 -v




As maintained … and updated …

Fedora Last Update Availability
Fedora 14 libupnp-1.6.6-3.fc12.x86_64
Fedora 15 libupnp-1.6.6-4.fc15.x86_64
Fedora 16 libupnp-1.6.13-2.fc16.x86_64
Fedora 17 libupnp-1.6.17-1.fc17.x86_64 libupnp-1.6.17-1.fc17.x86_64
Fedora 18 libupnp-1.6.17-1.fc18.x86_64

CVE-2013-0422 – The MBeanInstantiator in Oracle Java Runtime Environment (JRE) 1.7 in Java 7 Update 10


  • CVE-2013-0422 The MBeanInstantiator in Oracle Java Runtime Environment (JRE) 1.7 in Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via vectors related to unspecified classes that allow access to the class loader, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681.
  • Security Tracker 1027972 Oracle Java Flaw Lets Remote Users Execute Arbitrary Code
    Provides pointers to the CVE and original blog post
  • Vulnerability Note VU#625617 Java 7 fails to restrict access to privileged code
    Provides a cursory explanation of the effect and points to vendor documentation and other notices.
  • Alert (TA13-010A) Oracle Java 7 Security Manager Bypass Vulnerability
    Provides characterization and pointers to in-the-field remediation; references VU#625617; obliquely indicates towards the use of NoScript
  • Vulnerability Note VU#636312 Oracle Java JRE 1.7 Expression.execute() and SunToolkit.getField() fail to restrict access to privileged code
    Referenced for the proposed solution, namely disable Java in web browsers.


Some Dude; 0 day 1.7u10 (CVE-2013-0422) spotted in the Wild – Disable Java Plugin NOW!; In His Blog; 2013-01-10 (or so).

Details on the exploit, screen shots and so forth.


  • CVE-2013-0422 has been sitting at “candidate status” for 35+ days.
  • The unreleased Oracle Java 7 runtime (release b19) is supposed to remediate.
  • How to turn off Java applets in Firefox; Mozilla Knowledge Base.
  • Linux releases normally use IceTea, not Java 7.


(Firefox) AutoPager & TeeSoft shady murky scammy ‘Click here to scan for System Errors & Optimize PC Performance’?

AutoPager for Firefox is really really neat, and to date is highly recommended.  But the headline banner promotion today sure feels shady…


  • The old Free Scan Your PC, Optimize Your Performance For Free scam.
  • Clickthrough link
    • Is at
    • Redirects 301 into
    • Redirects again into a synthetic domain name in an anonymous cloud:
    • Clickthrough landing page gets a severe WOT warning for shady reputation
  • The ultimate landing page at www.uniblue.comhas lots of provenance and honorifics in the logos, alleging:
    • Industry pundit quips & quotes.
    • Editors Pick from some magazine.
    • Microsoft Partner status and a logo.
  • Then they ask you to download a Windows exe file and run it on your machine.

Why wouldn’t this be scammy?

  • They’re not doing the most basic OS detection.
  • I’m not running Windows!
  • They want me to run an exe on my machine.


  • Cloudfront is Amazon, and they police all their customers to warrant their veracity, don’t they?
  • Microsoft Partner status is worth something isn’t it?  Surely not just anyone can put that logo on their web site!
  • The WOT bad reputation is from a single unhappy customer type comment, written in Russian.

You don’t run into this very much in Mozilla Addon culture.  Usually it’s all brightly-lit, brand-safe you-are-safe stuff.  But here, as they say in the trades: sounds legit.  Love the autopager, hate the phishing.


Some DomainKeys Identified Mail (DKIM) Verifiers using but 512-bit key length, which has fallen


  • Vulnerability Note VU#268267 DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust
  • Original Release date: 2012-10-24; revised: 2012-11-09.


Iain Thomson; US-CERT warns DKIM email open to spoofing; In The Register; 2012-10-24.
Teaser: Mathematician accidentally spots flaw

  • Zachary Harris, mathematician, Florida
  • “A 384-bit key I can factor on my laptop in 24 hours, The 512-bit keys I can factor in about 72 hours using Amazon Web Services for $75. And I did do a number of those.”


  • 384 has fallen.
  • 512 has fallen.
  • 768 has fallen.
  • 1024 recommended.


Samy Kamkar’s Proofs Of Concept (Evercookie, NAT Pin, NAT Pwn)




iPhone/Android Tracking Research + Wardriving Database

Code at
I discovered that both the Apple iPhone and Google Android phones constantly send geolocation/GPS and wifi router information back up to Apple and Google. The iPhone does this even when the user has chosen to turn GPS/Location Services off. Since my release of this research, Apple and Google have both testified in front of Congress and are now involved in various lawsuits due to potential invasion of privacy. Besides the companies tracking the locations of all of these phones, I’ve created a tool that exposes not only the GPS data, but the wifi data Google has been collecting from virtually all Android devices and street view cars, using them essentially as global wardriving machines. When the phone detects any wireless network, encrypted or not, it sends the BSSID (MAC address) of the router along with signal strength, and most importantly, GPS coordinates up to the mothership. My tool allows you to ping that database and find exactly where any wifi router in the world is located. You can enter any router BSSID/MAC address to locate the exact physical location of the router. Try it here.

posted on 2011-04-21

evercookie: Extremely persistent virtually-irrevocable cookies

Code at
evercookie is a javascript API that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they’ve removed standard cookies, Flash cookies (LSOs), and others. It currently stores cookies in standard HTTP cookies, Local Shared Objects (Flash Cookies), storing in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out, storing in web history, HTML5 Session Storage, HTML5 Local Storage, HTML5 Global Storage, and HTML5 Database Storage via SQLite.

posted on 2010-09-20

The MySpace Worm: the fastest spreading worm in history

Code at
I developed the MySpace worm, the first XSS worm based on AJAX which proliferated through the MySpace network. Learn how I made over one million friends in less than 24 hours.

posted on 2009-12-20

peepmail: Discover private email addresses

Code at
Peepmail is a tool that allows you to discover business email addresses for users, even if their email address may not be publicly available or shared.

posted on 2011-04-20

jiagra: Website+Javascript Performance Enhancement API

Code at
jiagra is a stand-alone javascript API for automatic website performance enhancement. It currently features cross-browser pre-rendering/pre-fetching (allowing pages on your site to load in the background before the user has clicked on them), advanced setTimeout and setInterval control (detecting which timers/intervals are still running, have been cleared, or fired) which can allow for greater understanding of when *all* requests of a page have completed, and improved script tag support, allowing you to enter Javascript code in a single script tag that calls out to a remote URL, where the inline Javascript gets executed after the remote JS is executed, e.g.
< script src="path/to/script.js" >
< /script >

posted on 2011-06-15

phpwn: Attack on PHP sessions and random numbers

Code at
Studying PHP’s LCG (linear congruential generator, a pseudorandom number generator), I discovered that there are weaknesses that reduce the complexity of determining the sequence of pseudorandom numbers. What this means is that PHP is severely deficient in producing random session IDs or random numbers, leading to the possibility of stealing sessions or other sensitive information. The initial seed can be reduced from 64-bits to 35-bits, and with PHP code execution, can be reduced further down to just under 20-bits, which takes only seconds to recreate the initial seed.

posted on 2009-08-20

proxmark3: RFID penetration testing tool

Code at
I’m one of the primary developers of the proxmark3, a penetration testing tool for low and high-frequency RFID tags and readers, developed on an ARM7 microprocessor and Xilinx Spartan II FPGA. The device is capable of doing such things as read tags, simulate tags (such as HID badges), eavesdrop on transactions between another reader and tag, analyze a tag or signal passively, and more.

posted on 2009-12-20

NAT Pinning: Forcing Remote Routers to Port Forward

Code at
My NAT Pinning technique is a method that forces a user’s router or firewall, unbeknownst to them, to port forward any port number back to the user’s machine, simply by the user visiting a web page. If the user had FTP/ssh/etc open but blocked from the router, it can now be forwarded for anyone to access (read: attack) from the outside world. No XSS or CSRF required.

posted on 2010-01-05

quickjack: Automated Clickjack and Frame Slicing Tool

Code at
Quickjack is a tool developed to easily create pages with the capability to clickjack users no matter where they click on the page. The tool has an extremely intuitive interface and is literally a point-and-click tool. It also allows frame slicing and other features such as referral scrubing and more.

posted on 2010-02-01

pwnat: Advanced client-server NAT-to-NAT penetration

Code at
pwnat allows full client-server tunneling and proxying even when both server and client are behind separate NATs with no port forwarding and no DMZ setup on their routers to directly communicate with each other. There is no middle man, no proxy, no 3rd party, and the server side requires no information on the client.

posted on 2010-01-22

chownat: Peer-to-peer communication through NATs

Code at
chownat allows two peers behind two separate NATs with no port forwarding and no DMZ setup on their routers to directly communicate with each other. There is no middle man, no proxy, no 3rd party, and the application runs as an unprivileged user on both ends.

posted on 2009-12-20

mapxss: Accurate Geolocation via Router Exploitation

Code at
By using XSS exploitation of a user’s router, I’ve created a proof of concept which acquires the MAC address of the router of a web surfer, then uses the Google Service API to acquire geographic coordinates of the user (determined by the Google van driving around and seeing MAC address while tying it to coordinates.) This emulates Firefox’s Location-Aware Browsing without requiring any permission from the user or requiring Firefox.

posted on 2010-01-04

Packet: Perl modules for low-level packet injection/sniffing

Code at
Packet is a suite of portable Perl modules for encoding, decoding, injecting and sniffing low-level network packets. Packet also provides functionality for other low-level network tasks such as retrieving network device information and working directly with ARP cache tables..

posted on 2009-12-09

airsamy: Automated WEP injection and cracking via aircrack

Code at
airsamy provides a simple interface to quickly and automatically crack a WEP network in minutes. It displays a list of available WEP networks and once selected, it automatically places your driver in monitor mode, tests packet injection, fake authenticates with the AP, captures IVs for cracking, captures ARP packets and replays them to introduce more IVs into the network, and cracks using the PTW attack.

posted on 2009-10-24

ORYX Stream Cipher Implementation and Attack

Code at
I’ve implemented the ORYX stream cipher and a cryptanalytic attack able to recover the 96-bit internal key state in less than 2^20 ORYX operations. The ORYX stream cipher is used to encrypt data transmissions for the North American Cellular system.

posted on 2009-10-24

Anti-MITMA: Preventing Man in the Middle Attacks

Code at
I’ve described a simple method for authentication based protocols (e.g., ssh) to prevent man in the middle attacks. Rather than establishing a potentially MITMA’d connection, then authenticating, you can authenticate the initial key exchange. More details in the pdf.

posted on 2009-10-15

weap: WEP (RC4) Key Recovery (Cryptanalytic Attack)

Code at
I’ve implemented a version of Shamir’s attack on WEP, easily recovering a WEP key from encrypted wireless traffic due to weak keys and poor IV mixing into the RC4 key.

posted on october 15, 2009-10-15

AI::NS: Perl module providing Genetic Algorithms

Code at
AI::NaturalSelection provides a series of Perl modules using Genetic Algorithms to allow breeding and mutation to arise and emulate natural selection. Resultant honing can minimize the work required to solve certain fitness-testable problems.

posted on 2009-12-20

sql++: cross-database command line SQL client

Code at
sql++ is an easily configurable, feature-rich, portable command-line SQL tool. It can be used with many different databases and in place of other command line tools such as MySQL’s mysql-client, Microsoft SQL, PostgreSQL’s psql, and Oracle’s sqlplus. It has features such as multiple connections, multi-database interfacing, subselects for all databases, regardless of whether the database has native subselects or not, and much more.

posted on 2009-12-20

DISS: Download shared iTunes music automatically (Win32)

Code at
DISS (Download iTunes Shared Songs) automatically hooks into iTunes’ memory (winsock) on Windows and downloads any shared music you play into the DISS playlist. No user intervention is required for this to happen, it’s entirely automatic and typically only takes a second or two per song. Full C++ source and Windows binary included.

posted on 2005-11-20