Recap of the “Fail 2.0” Talk at ShmooCon

February 9, 2009
By

Post to Twitter Post to Facebook Post to Reddit

If you didn’t get the chance to attend Nathan Hamiel and Shawn Moyer’s “Bring It On!” talk “Fail 2.0: Further Musings on Attacking Social Networks,” you missed one heck of a talk. Not only was the content of their talk fascinating (they basically pwned Social Networks), but their presentation was filled with humor and creative profanity that would have made any veteran ShmooCon presenter proud.

Hamiel and Moyer also cleverly integrated Social Networking into their talk by requesting that the audience tweet them questions instead of asking questions outloud. Not only did this keep the presentation running more smoothly, it also increased audience participation. While the talk is now over, you can still follow Hamiel and Moyer on their Twitter pages:  @nathanhamiel and @shawnmoyer.

While “Fail 2.0: Further Musings on Attacking Social Networks” was a standalone talk, it was actually based on a talk that Hamiel and Moyer had done at DefCom and BlackHat last year, entitled “Satan is on my friends list: Attacking Social Networks.” You can now download the slides from that talk at HexSec.com.

The nice thing about the “Fail 2.0” talk is that Hamiel and Moyer didn’t just focus on the technical side of Social Networks, but also talked about the goal of Social Networks, which is to:

  • Have users create the content
  • Get as many people in one place as possible
  • Retrieve demographic information on a large scale

Mind you, I’m paraphrasing, but those are some of the major goals behind Social Networks. Unfortunately (or fortunately, depending on who you talk to), all of these things and more make Social Networks an attacker’s dream. There are multiple flaws in Social Networks that can easily be exploited, meaning that pwnage for the user and the Social Network is pretty much imminent if users don’t know what they’re doing. (As Hamiel and Moyer pointed out, most users don’t know about the danger of flashy shiny things on their Social Networking pages). 

The major way that users of Social Networks get taken advantage of? Apps and external content. Hamiel and Moyer even went so far as to name their 6th slide “Offsite Content = Fuxor.” If a clever take on profane language doesn’t relay the seriousness of offsite content, I don’t know what will.

But why is offsite content so bad? Because it can be a clever disguise for malicious intent. Whether embedded in images, links, or what appear to be “external” websites, attackers can embed all sorts of assaults that can cause anything from identity theft (i.e. taking over someone’s Social Networking account and using it to for devious means) to taking control over a user’s router.

While apps work the same way, they are especially dangerous because they can start out being non-malicious, but later become malicious if the attacker chooses. Worse still? You don’t even have to be the one who installed the app; even viewing the app on someone else’s page gives the attacker an opportunity to attack you via the information they’ve collected through your web browser.

All in all, Hamiel and Moyer’s talk was not only entertaining and informational, but timely. Social Networks show no sign of slowing down, which means that the potential attacks on users will only grow as time goes on. You can view the full “Fail 2.0” slides at HexSec.com.

Did you attend this talk? If so, I’m curious to hear what you thought about it. 

###

Was this post helpful? If so, consider passing it along to a friend or becoming a subscriber of our site. Or, you can always do both—we won’t complain.

Tags: , , , , , , , , , , ,

One Response to Recap of the “Fail 2.0” Talk at ShmooCon

  1. Tom on February 9, 2009 at 1:46 pm

    Agreed, great presentation. Nathan and Shawn do some great research in this area. Entertaining speakers as well. One other thing that users of social media need to know is how to “use” social media with some security in mind. The best quote from this presentation has to be that everything you post to a social network (even with privacy settings in place) should always be considered public information.

Leave a Reply

Your email address will not be published. Required fields are marked *


About Us

Founded in 2008, NoVA Infosec is dedicated to the community of Metro DC-based security professionals and whitehat hackers involved in the government and other regulated verticals. Find out more on our About Us page.